cURL (in /lib/vtls/openssl.c) does not check that the certificate serial number in the stapled OCSP response matches the serial number of the certificate it is trying to validate (the peer certificate). This results in a passed validity challenge even when connecting to a site that has had its certificate revoked.
An example program showing the vulnerability and a suggested patch are included.
EXAMPLE:
- Identify a site with a revoked certificate. (https://revoked.grc.com)
- Obtain a valid OCSP response for a site signed by the same issuer as
the revoked site. (https://www.grc.com). See
https://akshayranganath.github.io/OCSP-Validation-With-Openssl/ for a
how-to. Use the ocsp option ‘respout’ to obtain the DER encoded OCSP
response.
Certificates for www.grc.com are provided. Use the following
command to obtain an OCSP response for the example certificates:
$ openssl ocsp -issuer grc_chain.pem -cert grc_cert.pem -text -url http://ocsp.digicert.com -respout grc_ocsp_resp.der
- See the OCSP behavior without replacing the OCSP response:
$ ./curl_ocsp_vuln_test https://revoked.grc.com
Curl Error: SSL server certificate status verification FAILED
Curl correctly fails.
- See the OCSP behavior when replacing the OCSP response with that
from www.grc.com:
$ ./curl_ocsp_vuln_test https://revoked.grc.com --replace_ocsp grc_ocsp_resp.der
<!DOCTYPE html PUBLIC…
The result is that cURL succeeds despite the site having a revoked certificate.
Impact
Certificates are usually revoked because important information, such as the private key, has become known. This could allow an attacker to cause a “validated” connection to an attacker-controlled site by substituting the OCSP response.