OpenSSL Security Advisory - CVE-2015-1793

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/10/2015 09:32 AM, Matt Caswell wrote:
>
> On 10/07/15 13:09, R C Delgado wrote:
>> Hello,
>>
>> With regards to CVE-2015-1793, I've seen the example in verify_extra_test.c.
>> How deep does the certificate chain have to be?
>> If I have 2 self-signed CA certificates, and a non-CA certificate is
>> received for verification, will this hit the problem?
>>
>> Also, is it a condition of the bug that both CA certificates have to
>> have the same subject names and keys, as suggested in the file?
>
> The conditions for triggering the bug are a little complicated, but I'll
> do my best to explain it.
>
<snip>
> So these certs would need to be present (at a minimum):
>
> Chain 1:
>
> Trusted Cert 1
> |
> Untrusted Cert 1
> |
> Leaf
> |
> Bad
>
> Chain 2:
>
> Trusted Cert 2
> |
> Leaf
> |
> Bad
>
> There are other possible longer chains, but this is the minimum set. For
> 1.0.2, Chain 1 would have to be non-trusted, even though we have added a
> trusted cert. This can occur if Trusted Cert 1 is not self signed and
> its issuer is not in the trusted store. For 1.0.1 any chain will do.
> Untrusted Cert 1 and Trusted Cert 2 would both have to be valid issuers
> of Leaf (i.e. they have the same subject names and public keys). Chain 2
> must be trusted (so Trusted Cert 2 has to be a self-signed root).
>
Thanks, Matt. This is the most cogent explanation I've seen to date.

Cheers

-- 
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
visit my IT blog                www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies   see www.2rosenthals.com
-------------------------------------------------------------



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux