First published: Thu Feb 24 2022(Updated: )
In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
WolfSSL wolfssl | <5.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2022-25640.
The severity of CVE-2022-25640 is high, with a severity value of 7.5.
CVE-2022-25640 affects wolfSSL versions up to and excluding 5.2.0.
The impact of CVE-2022-25640 is that a TLS 1.3 server using wolfSSL may not be able to enforce mutual authentication properly.
Yes, the fix for CVE-2022-25640 can be found in wolfSSL version 5.2.0 and later.