CVE-2017-2629

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.53.0

Description The issue is related to the TLS Certificate Status Request extension feature, also known as OCSP stapling, which is used to ask for a fresh proof of the server's certificate's validity. Due to a coding mistake, the code that checks for a test success or failure always thinks there is valid proof, even when there is none or if the server does not support the TLS extension. This could lead to users not detecting when a server's certificate goes invalid or being misled that the server is in a better shape than it is in reality. The flaw exists in both the library and the command line tool, including the --cert-status option.

Recommendations For versions prior to 7.53.0, update to version 7.53.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of the CURLOPT SSL VERIFYSTATUS option until a patch is available. Restrict access to the --cert-status command line option to minimize the risk of exploitation. Avoid relying on the TLS Certificate Status Request extension feature for certificate validation until the issue is resolved.