[openssl-users] OpenSSL Security Advisory - CVE-2015-1793
Lewis Rosenthal
lgrosenthal at 2rosenthals.com
Fri Jul 10 14:16:58 UTC 2015
On 07/10/2015 09:32 AM, Matt Caswell wrote:
>
> On 10/07/15 13:09, R C Delgado wrote:
>> Hello,
>>
>> With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c.
>> How deep does the certificate chain have to be?
>> If I have 2 self-signed CA certificates, and a non-CA certificate is
>> received for verification, will this hit the problem?
>>
>> Also, is it a condition of the bug that both CA certificates have to
>> have the same subject names and keys, as suggested in the file?
>
> The conditions for triggering the bug are a little complicated, but I'll
> do my best to explain it.
>
<snip>
> So these certs would need to be present (at a minimum):
>
> Chain 1:
>
> Trusted Cert 1
> |
> Untrusted Cert 1
> |
> Leaf
> |
> Bad
>
> Chain 2:
>
> Trusted Cert 2
> |
> Leaf
> |
> Bad
>
> There are other possible longer chains, but this is the minimum set. For
> 1.0.2, Chain 1 would have to be non-trusted, even though we have added a
> trusted cert. This can occur if Trusted Cert 1 is not self signed and
> its issuer is not in the trusted store. For 1.0.1 any chain will do.
> Untrusted Cert 1 and Trusted Cert 2 would both have to be valid issuers
> of Leaf (i.e. they have the same subject names and public keys). Chain 2
> must be trusted (so Trusted Cert 2 has to be a self-signed root).
>
Thanks, Matt. This is the most cogent explanation I've seen to date.
Cheers
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------
More information about the openssl-users
mailing list