Re: SSL Cert serial number non-uniqueness impact

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The combination of (issuer,serial#) is the only way to get a unique identifier for a certificate.  Lots of software depends on certs being uniquely identifiable.  What happens if that assertion is not true?  Some things will break.  What?  Well, it depends on the software, and which certs are “duplicates” and so on.  There’s no way to know, really.  Just don’t do it.

For example, if cert-A has a keypair and cert-B has a keypair, then site-B could send a TLS chain with cert-A and while it would look correct, the connection would fail.  This is silly if B is doing it, but it is a DoS attack if a man in the middle does it.
 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux