mirror of https://github.com/hak5/openwrt-owl.git
69ac637fbb
Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional', mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted). Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Tested-by: Magnus Kroken <mkroken@gmail.com> |
||
---|---|---|
.. | ||
200-config.patch |