mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-02-16 09:40:06 +00:00
Edit ChangeLog entry
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
This commit is contained in:
parent
16f0e18e41
commit
f72a510590
@ -1,4 +1,11 @@
|
||||
Bugfix
|
||||
* Fix the failure to correctly update verification flags when
|
||||
checking the (ext)KeyUsage extension.
|
||||
Resolves #1260
|
||||
Security
|
||||
* With TLS 1.3, when a server enables optional authentication of the
|
||||
client, if the client-provided certificate does not have appropriate values
|
||||
in if keyUsage or extKeyUsage extensions, then the return value of
|
||||
mbedtls_ssl_get_verify_result() would incorrectly have the
|
||||
MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_KEY_USAGE bits
|
||||
clear. As a result, an attacker that had a certificate valid for uses other
|
||||
than TLS client authentication could be able to use it for TLS client
|
||||
authentication anyway. Only TLS 1.3 servers were affected, and only with
|
||||
optional authentication (required would abort the handshake with a fatal
|
||||
alert).
|
||||
|
Loading…
x
Reference in New Issue
Block a user