An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates.
In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose.
Mike Myers03/25/2021, 4:09 PM
Jams03/25/2021, 7:43 PM
atk03/30/2021, 4:08 PM
Mike Myers03/30/2021, 4:10 PM