seph
An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates.
In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose.
Mike Myers
03/25/2021, 4:09 PMtheopolis
Jams
03/25/2021, 7:43 PMatk
03/30/2021, 4:08 PMMike Myers
03/30/2021, 4:10 PM