[openssl-users] CVE-2015-1793 only on cert-based client auth?

Colin Edwards colin.p.edwards at gmail.com
Mon Jul 13 17:03:09 UTC 2015


I've been reading/hearing different opinions on the recent vulnerability
for cert chain forging that was patched (CVE-2015-1793).

Some people are saying the vulnerability only exists if a system is using
certificate-based client authentication (mutual auth, where both server and
client are authenticated).  Basically, that the chain forging can only be
done on the client side.

Others are saying certs can be forged on the server, on implementations
that use only server-side authentication, and if the client is using
OpenSSL it will verify/accept the forged chain.  The could effectively
result in MitM against OpenSSL clients.

Can anyone on this list clarify with details?

Thanks,
Colin

sent from mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150713/7d79926f/attachment.html>


More information about the openssl-users mailing list