OpenSSL's Latest High Severity Issue Exposed
Written by Michael Larabel in Free Software on 9 July 2015 at 09:04 AM EDT. 7 Comments
FREE SOFTWARE --
We heard another big OpenSSL vulnerability would be announced soon and today it's been made public: OpenSSL's latest "high" severity security vulnerability.

This latest issue affects OpenSSL 1.0.1n+ and 1.0.2b and deals with certificate verification.
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

Details at OpenSSL.org.
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Free Software News
Popular News This Week