KurohiroH1:2298922curl: CVE-2024-0853: OCSP verification bypass with TLS session reuse
Summary:
In version 8.5.0, cURL has inadvertently established a pathway for accepting revoked certificates.
As a result of this correction, during TLS session reuse, OCSP stapling verification will be skipped.
However, the TLS session will be preserved regardless of OCSP verification results.
As a result, even for revoked certificates, verification is skipped during TLS session reuse.
Steps To Reproduce:
1.Identify sites with revoked certificates.
2. curl (1.URL) (1.URL)--cert-status
I have prepared an environment for testing. Please use as necessary.
https://ocsptest.ddns.net/
curl https://ocsptest.ddns.net/ https://ocsptest.ddns.net/ --cert-status
This website returns only the string “test.”
- I have used this for testing.
- To avoid complications with timing dependencies in verification, I have configured the web server to use TLS 1.2.
In the case of TLS 1.3, the timing of session preservation is delayed, which appeared to prevent session reuse with the above command line.
Here are the execution results.
C:\curl-8.5.0_3-win64-mingw\bin>curl https://ocsptest.ddns.net/ https://ocsptest.ddns.net/ --cert-status
curl: (91) SSL certificate revocation reason: (UNKNOWN) (-1)
test
The first request becomes error, but the second one unjustly passes through the normal case.
Impact
Bypassing OCSP verification.
Related
