| admin Site Admin
 
 
 Joined: 03 Mar 2002
 Posts: 1347
 
 
 | 
			
				|  Posted: Tue Mar 15, 2022 10:18 pm    Post subject: About the latest OpenSSL vulnerability |   |  
				| 
 |  
				| Dear all, 
 Today (March 15, 2022), OpenSSL project has reported a vulnerability in one of its core computation algorithms that mainly affects reading elliptic curves certificates. Some specially crafted certificates and/or private keys based on elliptic curves can send OpenSSL (and its calling process) in an infinite loop:
 
 https://www.openssl.org/news/openssl-1.1.1-notes.html
 
 As you know Abyss Web Server uses OpenSSL to handle parts of its TLS/SSL support. Hopefully this particular vulnerability is very unlikely to affect it: Contrarily to Web browsers, Abyss Web Server does not validate external certificates as part of its normal operation. It also does not accept client certificates.
 
 Maliciously crafted certificates that could trigger this bug have almost no chance to be encountered by a Web server.
 
 Despite this low risk, we are going to release in the very near future a version which includes a fixed OpenSSL version.
 _________________
 Follow @abyssws on Twitter
 Subscribe to our newsletter
 _________________
 Forum Administrator
 Aprelium - https://aprelium.com
 |  |