Skip to content
  1. Jul 07, 2015
    • Matt Caswell's avatar
      Fix alternate chains certificate forgery issue · 9a0db453
      Matt Caswell authored
      
      
      During certificate verfification, OpenSSL will attempt to find an
      alternative certificate chain if the first attempt to build such a chain
      fails. An error in the implementation of this logic can mean that an
      attacker could cause certain checks on untrusted certificates to be
      bypassed, such as the CA flag, enabling them to use a valid leaf
      certificate to act as a CA and "issue" an invalid certificate.
      
      This occurs where at least one cert is added to the first chain from the
      trust store, but that chain still ends up being untrusted. In that case
      ctx->last_untrusted is decremented in error.
      
      Patch provided by the BoringSSL project.
      
      CVE-2015-1793
      
      Reviewed-by: default avatarStephen Henson <steve@openssl.org>
      9a0db453
  2. Jul 06, 2015
  3. Jul 02, 2015
    • Dr. Stephen Henson's avatar
      Fix PSK handling. · d6be3124
      Dr. Stephen Henson authored
      
      
      The PSK identity hint should be stored in the SSL_SESSION structure
      and not in the parent context (which will overwrite values used
      by other SSL structures with the same SSL_CTX).
      
      Use BUF_strndup when copying identity as it may not be null terminated.
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      (cherry picked from commit 3c66a669)
      d6be3124
  4. Jun 29, 2015
  5. Jun 25, 2015
  6. Jun 23, 2015
  7. Jun 22, 2015
  8. Jun 21, 2015
  9. Jun 16, 2015
  10. Jun 12, 2015
  11. Jun 11, 2015
  12. Jun 10, 2015