About the latest OpenSSL vulnerability

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1246

PostPosted: Tue Mar 15, 2022 10:18 pm    Post subject: About the latest OpenSSL vulnerability Reply with quote

Dear all,

Today (March 15, 2022), OpenSSL project has reported a vulnerability in one of its core computation algorithms that mainly affects reading elliptic curves certificates. Some specially crafted certificates and/or private keys based on elliptic curves can send OpenSSL (and its calling process) in an infinite loop:

https://www.openssl.org/news/openssl-1.1.1-notes.html

As you know Abyss Web Server uses OpenSSL to handle parts of its TLS/SSL support. Hopefully this particular vulnerability is very unlikely to affect it: Contrarily to Web browsers, Abyss Web Server does not validate external certificates as part of its normal operation. It also does not accept client certificates.

Maliciously crafted certificates that could trigger this bug have almost no chance to be encountered by a Web server.

Despite this low risk, we are going to release in the very near future a version which includes a fixed OpenSSL version.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group