A flaw was found in the way OpenSSL verified alternative certificate chains. An attacker able to supply a certificate chain to an SSL/TLS or DTLS client or an SSL/TLS or DTLS server using client authentication could use this flaw to bypass certain checks in the verification process, possibly allowing them to use one of the certificates in the supplied certificate chain as a CA certificate to generate an invalid certificate.
The following was reported by OpenSSL upstream:
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.
This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.
Created attachment 1045431 [details]
Created attachment 1045432 [details]
Followup patch 1
Created attachment 1045433 [details]
Followup patch 2
Not vulnerable. This issue does not affect any version of the OpenSSL package as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7, JBoss Enterprise Application Platform 6, Red Hat JBoss Enterprise Web Server 1 and 2, and Red Hat JBoss Web Server 3 because they did not include support for alternative certificate chains.
Red Hat would like to thank OpenSSL upstream for reporting this issue. Upstream acknowledges Adam Langley of Google and David Benjamin of BoringSSL as the original reporters.
Created openssl tracking bugs for this issue:
Affects: fedora-all [bug 1241544]
FeedHenry advisory covering impact on multi-tenant SaaS offerings:
Note, for clarity, the first affected upstream versions 1.0.1n and 1.0.2b were released on June 11th 2015.
Upstream commits in 1.0.1 branch:
Alternate chains handling, and hence this vulnerability, was introduced to 1.0.1 branch via the following commit:
Related upstream bug reports:
Current Fedora versions are affected, as the alternative chain handling code was backported to F21 and F22: