crypto/x509: intermediates with unknown critical extensions not rejected #22260

rsc · 2017-10-13T23:39:33Z

From CL 69294:

In https://golang.org/cl/9390 I messed up and put the critical extension
test in the wrong function. Thus it only triggered for leaf certificates
and not for intermediates or roots.

In practice, this is not expected to have a security impact in the web
PKI.

Per @agl, we should backport this to Go 1.9 and Go 1.8 as part of our regular point releases, but it doesn't warrant a special pre-announced security release (because, as the description says, it "is not expected to have a security impact in web PKI").

rsc · 2017-10-13T23:40:32Z

CL 69294 OK for Go 1.9.2.

rsc · 2017-10-26T21:09:24Z

go1.9.2 has been packaged and includes:

CL 69294

The release is posted at golang.org/dl.

— golang.org/x/build/cmd/releasebot, Oct 26 21:09:24 UTC

rsc added this to the Go1.9.2 milestone Oct 13, 2017

rsc mentioned this issue Oct 13, 2017

crypto/x509: intermediates with unknown critical extensions not rejected [Go1.8] #22261

Closed

rsc added release-blocker CherryPickApproved Used during the release process for point releases labels Oct 13, 2017

rsc mentioned this issue Oct 15, 2017

all: Go 1.9.2 release status #22277

Closed

rsc closed this as completed Oct 26, 2017

golang locked and limited conversation to collaborators Oct 26, 2018

gopherbot added the FrozenDueToAge label Oct 26, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/x509: intermediates with unknown critical extensions not rejected #22260

crypto/x509: intermediates with unknown critical extensions not rejected #22260

rsc commented Oct 13, 2017

rsc commented Oct 13, 2017

rsc commented Oct 26, 2017

crypto/x509: intermediates with unknown critical extensions not rejected #22260

crypto/x509: intermediates with unknown critical extensions not rejected #22260

Comments

rsc commented Oct 13, 2017

rsc commented Oct 13, 2017

rsc commented Oct 26, 2017