[openssl-users] [openssl-announce] OpenSSL Security Advisory

Jakob Bohm jb-openssl at wisemo.com
Thu Jul 9 21:46:45 UTC 2015

On 09/07/2015 15:10, OpenSSL wrote:
> Hash: SHA1
> OpenSSL Security Advisory [9 Jul 2015]
> =======================================
> Alternative chains certificate forgery (CVE-2015-1793)
> ======================================================
> Severity: High
> During certificate verification, OpenSSL (starting from version 1.0.1n and
> 1.0.2b) will attempt to find an alternative certificate chain if the first
> attempt to build such a chain fails. An error in the implementation of this
> logic can mean that an attacker could cause certain checks on untrusted
> certificates to be bypassed, such as the CA flag, enabling them to use a valid
> leaf certificate to act as a CA and "issue" an invalid certificate.
Why was this introduced in a patch release?  I thought
improved chain building was a new feature, and thus
delineated by a library version number such as 1.0.2or
1.0.3.   In fact, I thought that was the reason we all
had to wait ages before this long standing shortcoming
was fixed.
> This issue will impact any application that verifies certificates including
> SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
Does this vulnerability also affect applications that
use OpenSSL or the openssl command line to handle S/MIME
or other CMS messages?

For example, the mail client mutt handles S/MIME by
invoking the openssl command line via macros in the
default configuration file.


Sorry for first trying to send to -announce, MUA must
have ignored the Reply-To.


Jakob Bohm, CIO, Partner, WiseMo A/S.http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150709/cf1526d6/attachment.html>

More information about the openssl-users mailing list