CVE-2022-0778 - Impact of ECC cipher with valid server ECC certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Our server does not consume any certificate from the client.
Client authentication or client certificate verification is disabled.
Server always has a valid ECC certificate.

BN_mod_sqrt() is not used anywhere in the server except by openssl.

If we consider ECDHE_ECDSA cipher based TLS handshake, then it is possible that the client can send invalid public session key to the server causing the vulnerability. Is this assumption correct ?

If yes, then I think disabling ECC cipher suites should prevent the vulnerability if we don't want to upgrade openssl considering there is no other cryptographic operation except w.r.t. TLS.

Regards,
Vipul
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux