Filippo ValsordaJun 20

In 2020, OpenSSL had a vulnerability in handling the signature_algorithms_cert extension. https://openssl-library.org/news/secadv/20200421.txt

Palo Alto apparently "solved" this in their IPS by blocking connections with "unknown" algs in signature_algorithms_cert.

Six years later, we can't add ML-DSA to signature_algorithms_cert in Go. signature_algorithms_cert is dead.

Sigh.

Thanks to @cks for diagnosing this. Sometimes it takes us months to figure out things like this.

https://github.com/golang/go/issues/79626#issuecomment-4754225610

Show threadAdam Langley

@filippo @cks

It was originally “have one joint and keep it well oiled”, but I guess it’s “have one joint and keep it well GREASEd” these days.

Jun 20 at 2:19pmWeb
Show threadsayrerJun 20
@agl @filippo @cks wow, nightmare fuel 🙃