Vulnerability in LibreSSL, affecting mechanism to verify TLS-certificates with nginx

By Prempal Singh 0 Comment May 1, 2017

In developing the project OpenBSD LibreSSL library revealed the vulnerability ( the CVE-2017-8301 ), which leads to missing TLS certificate validation in applications that use the API check pending on the basis of registration of callback-handler and SSL_get_verify_result function. From any affected applications are marked http-server Nginx and IRC-server InspIRCd . Vulnerability detected developers Alpine Linux distribution.

The problem manifests itself since the release libressl 2.5.1 and is present in the current release 2.5.3. Updating the correction until is in the process of development. Connection with an incorrect certificate is only possible if the callback handler always returns a value of 1, and after the verification result is evaluated by calling SSL_get_verify_result () function. The problem may affect the servers to which you connect the client certificate and the client software, check the server on the server certificate.