Security News > 2021 > March > Serious Security: OpenSSL fixes two high-severity crypto bugs
As you probably know, the server side of a TLS connection usually submits a so-called digital certificate right at the start of proceedings.
If the signature checks out and the CA checks out, then the TLS connection is considered verified; if not, you will see one of those "Certificate warning" pages that fraudulent or misconfigured sites provoke.
We won't go into detail here, but you need to know that one sort of TLS certificate uses what is called Elliptic Curve Cryptography, which is an algorithm based on mathematical computations using equations that define what are known as elliptic curves.
ECC certificates are increasingly popular because they're typically a lot smaller than RSA certificates with a comparable security strength.
So the code correctly detects that the certificate is fake, but then "Forgets" that fact and reports that the certificate is valid instead. The CVE-2021-3450 bug is strangely reminiscent of Apple's infamous "Goto fail" flaw from 2014.
If you can manage without the additional certificate checks then this may be the lesser of two evils until you can upgrade to version 1.1.1k. Also, if you are a programmer, try not to write error-checking code the way that it was done in OpenSSL's certificate verification routines.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-03-25 | CVE-2021-3450 | Improper Certificate Validation vulnerability in multiple products The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. | 7.4 |