A vulnerability was reported in OpenSSL. A remote user can bypass certificate validation on the target system.
When the validation of a certificate chain fails, the system attempts to validate an alternate certificate chain but does not check the CA flag of untrusted certificates. As a result, a remote user can cause the target system to validate an invalid certificate using a valid leaf certificate.
Applications that verify certificates are affected.
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication are affected.
The vendor was notified on June 24, 2015.
Adam Langley/David Benjamin (Google/BoringSSL) reported this vulnerability.
A remote user can bypass certificate validation on the target system.
The vendor has issued a fix (1.0.1p, 1.0.2d).