CVE-2017-8301

Name of the Vulnerable Software and Affected Versions LibreSSL versions 2.5.1 through 2.5.3

Description The issue concerns a lack of TLS certificate verification in certain use cases. Specifically, if a user-provided verification callback returns 1, and the application relies on SSL get verify result for later verification checks, invalid certificates may be accepted. This has been demonstrated in the context of nginx.

Recommendations For LibreSSL versions 2.5.1 through 2.5.3, consider implementing additional verification checks beyond relying on SSL get verify result to ensure proper TLS certificate validation. As a temporary workaround, review and modify user-provided verification callbacks to return appropriate values for invalid certificates.