Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Feb 2015 00:47:49 -0500 (EST)
Subject: Re: CVE Request: mod-gnutls: GnuTLSClientVerify require is ignored

Hash: SHA1

> mod-gnutls doesn't consider the server's client verify mode, even if the
> verify mode was unset in the directory configuration. As a result,
> invalid certificates are ignored and clients can connect and receive
> data as long as they presented any certificate whatsoever.

We haven't been able to determine how many different vulnerabilities
are being reported. The 2009 report is apparently about ignoring
GnuTLSClientVerify when this directive is present in a directory
context, whereas is
apparently about ignoring GnuTLSClientVerify when this directive is
present only in a server config context. is
apparently discussing the 2009 bug when saying "This bug still exists
in current stable and unstable packages" but perhaps is actually
referring to a remaining issue that exists because of an incomplete
fix for the 2009 bug.

The 2009 report seems to imply that that verification problem is an
impact of a bug related to improper "rehandshake" handling
( Also, suggests that the
verification problem is observed with some browsers but not others,
which might mean that sessions with certain browsers (or browsers with
certain SSL configurations) do not end up having a "rehandshake." has no
mention of "rehandshake" or anything similar, and instead apparently
blames the problem on "the authentication hook (mgs_hook_authz)."
Similarly, the 2015 patch (i.e.,
5a8a32bbfb8a83fe6358c5c31c443325a7775fc2) seems to be a fix for a
missing check in the 2009 patch (i.e., the

The various discussion of "when I browse site2 in IE, it shows me the
certificate of site1" and "it seems curl extension of php also can't
correctly connect" in
is possibly a user error and not a valid third vulnerability report.

So, are you looking for:

  one CVE-2009-#### ID  -- vulnerability involving the directory context

  one CVE-2015-#### ID  -- vulnerability involving the server config context


- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.