[openssl-users] SSL Cert serial number non-uniqueness impact

Salz, Rich rsalz at akamai.com
Sun Jan 14 14:04:11 UTC 2018


The combination of (issuer,serial#) is the only way to get a unique identifier for a certificate.  Lots of software depends on certs being uniquely identifiable.  What happens if that assertion is not true?  Some things will break.  What?  Well, it depends on the software, and which certs are “duplicates” and so on.  There’s no way to know, really.  Just don’t do it.

For example, if cert-A has a keypair and cert-B has a keypair, then site-B could send a TLS chain with cert-A and while it would look correct, the connection would fail.  This is silly if B is doing it, but it is a DoS attack if a man in the middle does it.
 



More information about the openssl-users mailing list