[openssl-users] [openssl-announce] OpenSSL Security Advisory

Matt Caswell matt at openssl.org
Thu Jul 9 22:47:21 UTC 2015 


On 09/07/15 22:46, Jakob Bohm wrote:
> On 09/07/2015 15:10, OpenSSL wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> OpenSSL Security Advisory [9 Jul 2015]
>> =======================================
>>
>> Alternative chains certificate forgery (CVE-2015-1793)
>> ======================================================
>>
>> Severity: High
>>
>> During certificate verification, OpenSSL (starting from version 1.0.1n and
>> 1.0.2b) will attempt to find an alternative certificate chain if the first
>> attempt to build such a chain fails. An error in the implementation of this
>> logic can mean that an attacker could cause certain checks on untrusted
>> certificates to be bypassed, such as the CA flag, enabling them to use a valid
>> leaf certificate to act as a CA and "issue" an invalid certificate.
> Why was this introduced in a patch release?  I thought
> improved chain building was a new feature, and thus
> delineated by a library version number such as 1.0.2or
> 1.0.3.   In fact, I thought that was the reason we all
> had to wait ages before this long standing shortcoming
> was fixed.

Is it a new feature or a defect fix?

On the one hand OpenSSL has never been able to handle alternative
certificate chains. If the first chain attempted fails to verify then we
stop. Its always been done that way and from that point of view the
ability to handle alternative cert chains is a new feature.

On the other hand, from a users perspective, if you present OpenSSL with
a perfectly valid certificate, and a perfectly valid trust store, then
you expect it to successfully verify the certificate no matter what.
OpenSSL was failing to do that, and therefore this would suggest it is a
defect.

My initial view was the former. This issue was raised a number of times
within RT and on the openssl-dev list and also via other routes. It was
clearly causing real problems for end users (and increasingly so). There
was much discussion on this topic, but ultimately the decision was taken
to change our mind, and treat it as a defect. For that reason it was
included in a patch release.

>> This issue will impact any application that verifies certificates including
>> SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
> Does this vulnerability also affect applications that
> use OpenSSL or the openssl command line to handle S/MIME
> or other CMS messages?

Yes. Ultimately it affects all applications that verify certificates.
That includes the openssl command line applications.

Matt

More information about the openssl-users mailing list