[openssl-users] OpenSSL Security Advisory - CVE-2015-1793
rsalz at akamai.com
Fri Jul 10 12:55:24 UTC 2015
>How deep does the certificate chain have to be?
It does not matter.
>If I have 2 self-signed CA certificates, and a non-CA certificate is received for verification, will this hit the problem?
>Also, is it a condition of the bug that both CA certificates have to have the same subject names and keys, as suggested in the file?
I think you are confused. The bug is not about CA's. It's about a non-CA fooling the runtime into treating it as if it were a CA and being able to issue a certificate.
More information about the openssl-users