CVE-2015-1793 only on cert-based client auth?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jul 13, 2015 at 01:03:09PM -0400, Colin Edwards wrote:
> I've been reading/hearing different opinions on the recent vulnerability
> for cert chain forging that was patched (CVE-2015-1793).
> 
> Some people are saying the vulnerability only exists if a system is using
> certificate-based client authentication (mutual auth, where both server and
> client are authenticated).  `Basically, that the chain forging can only be
> done on the client side.
> 
> Others are saying certs can be forged on the server, on implementations
> that use only server-side authentication, and if the client is using
> OpenSSL it will verify/accept the forged chain.  The could effectively
> result in MitM against OpenSSL clients.

It's whenever a certificate is received (and validated).  This
means either:
- A client is authenticating a server (server authentication)
- A server is authenticating a client (client authentication)

Of course both could be happening for the same connection.

It's much more common that the client authenticates the server.
Certainly for https client authentication is uncommon.  Also, for
https the client ussually isn't OpenSSL based, except for android.


Kurt



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux