Quantcast

LibreSSL certificate verification issue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

LibreSSL certificate verification issue

Viktor Dukhovni
Please see:

   http://seclists.org/oss-sec/2017/q2/145

   ## Summary

   LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if
   SSL_get_verify_result is relied upon for a later check of a
   verification result, in a use case where a user-provided verification
   callback returns 1, as demonstrated by acceptance of invalid
   certificates by nginx.

This also affects Postfix, and will make all connections appear to be
"Trusted" or "Verified" even when certificate verification actually
failed.

Postfix is only supported with OpenSSL and not LibreSSL.  If, nevertheless
you are using LibreSSL with Postfix, consider switching back to OpenSSL, or,
if that's not possible, upgrade to a later version of LibreSSL.

--
        Viktor.
Loading...