Raul Metsma

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 3.0.0 through 3.0.2 **Description** The issue is related to the function `OCSP basic verify` in the OpenSSL library, which verifies the signer certificate on an OCSP response. When the non-default flag `OCSP NOCHECKS` is used, the response will be positive even if the response signing certificate fails to verify. This can allow a remote attacker to implement a "man-in-the-middle" attack. The command line OpenSSL "ocsp" application is also impacted when verifying an OCSP response with the "-no cert checks" option. **Recommendations** For OpenSSL versions 3.0.0 through 3.0.2, update to OpenSSL 3.0.3 to fix the issue. As a temporary workaround, consider avoiding the use of the `OCSP NOCHECKS` flag in the `OCSP basic verify` function until a patch is available. Restrict access to the command line OpenSSL "ocsp" application to minimize the risk of exploitation when verifying OCSP responses with the "-no cert checks" option.