[openssl-users] CVE-2015-1793 only on cert-based client auth?
Kurt Roeckx
kurt at roeckx.be
Tue Jul 14 21:45:14 UTC 2015
On Tue, Jul 14, 2015 at 01:23:52PM -0400, Colin Edwards wrote:
> Thank you, Kurt. The information I was getting (from some sources) was that
> the vulnerability was only present in configurations where the server was
> authenticating a client certificate. The fact is, the vulnerability applies
> to certificate validation regardless of if it's on the client or server
> side.
Right, and validation doesn't even have to be about TLS either.
It's about any check of a certificate chain.
Kurt
More information about the openssl-users
mailing list