[openssl-users] OpenSSL Security Advisory - CVE-2015-1793

Salz, Rich rsalz at akamai.com
Fri Jul 10 12:55:24 UTC 2015

>How deep does the certificate chain have to be?

It does not matter.

>If I have 2 self-signed CA certificates, and a non-CA certificate is received for verification, will this hit the problem?
>Also, is it a condition of the bug that both CA certificates have to have the same subject names and keys, as suggested in the file?

I think you are confused.  The bug is not about CA's.  It's about a non-CA fooling the runtime into treating it as if it were a CA and being able to issue a certificate.

More information about the openssl-users mailing list