Two high-severity vulnerabilities in the OpenSSL software library were disclosed on Thursday alongside the release of a patched version of the software, OpenSSL 1.1.1k.
OpenSSL is widely used to implement the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which support encrypted network connections. Alternatives include BoringSSL and LibreSSL, among others.
The first flaw, a certificate check bypass (CVE-2021-3450), arose as a result of code implemented in v1.1.1h to perform an additional validity check on certificates using certain cryptographic parameters. The check was intended to ensure that certificates not from Certificate Authorities are unable to issue other certificates.
As a result of the error, enabling strict certificate validation did the opposite of what it was supposed to do: It ..
Support the originator by clicking the read the rest link below.
