I've been reading/hearing different opinions on the recent vulnerability for cert chain forging that was patched (CVE-2015-1793). Some people are saying the vulnerability only exists if a system is using certificate-based client authentication (mutual auth, where both server and client are authenticated). Basically, that the chain forging can only be done on the client side. Others are saying certs can be forged on the server, on implementations that use only server-side authentication, and if the client is using OpenSSL it will verify/accept the forged chain. The could effectively result in MitM against OpenSSL clients. Can anyone on this list clarify with details? Thanks, Colin sent from mobile -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150713/7d79926f/attachment.html>
