[openssl-users] CVE-2015-1793 only on cert-based client auth?

Kurt Roeckx kurt at roeckx.be
Tue Jul 14 21:45:14 UTC 2015


On Tue, Jul 14, 2015 at 01:23:52PM -0400, Colin Edwards wrote:
> Thank you, Kurt.  The information I was getting (from some sources) was that
> the vulnerability was only present in configurations where the server was
> authenticating a client certificate.  The fact is, the vulnerability applies
> to certificate validation regardless of if it's on the client or server
> side.

Right, and validation doesn't even have to be about TLS either.
It's about any check of a certificate chain.


Kurt



More information about the openssl-users mailing list