摘要:
The function X509_VERIFY_PARAM_add0_policy() is documented to
implicitly enable the certificate policy check when doing certificate
verification. However the implementation of the function does not
enable the check which allows certificates with invalid or incorrect
policies to pass the certificate verification.
As suddenly enabling the policy check could break existing deployments it was
decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
function.
Instead the applications that require OpenSSL to perform certificate
policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly
enable the policy check by calling X509_VERIFY_PARAM_set_flags() with
the X509_V_FLAG_POLICY_CHECK flag argument.
Certificate policy checks are disabled by default in OpenSSL and are not
commonly used by applications.
安全等级: Low
公告ID: KylinSec-SA-2025-2301
发布日期: 2025年4月20日
关联CVE: CVE-2023-0466
函数 X509_VERIFY_PARAM_add0_policy() 的文档说明指出其在进行证书验证时会隐式启用证书策略检查。然而该函数的实现并未实际启用此检查,导致含有无效或不正确策略的证书仍能通过验证。
考虑到突然启用策略检查可能会破坏现有部署,决定保持 X509_VERIFY_PARAM_add0_policy() 函数现有行为不变。
需要 OpenSSL 执行证书策略检查的应用程序应当:
使用 X509_VERIFY_PARAM_set1_policies() 函数
或通过调用 X509_VERIFY_PARAM_set_flags() 并传入 X509_V_FLAG_POLICY_CHECK 标志参数显式启用策略检查
在 OpenSSL 中,证书策略检查默认禁用,且应用程序通常不使用此功能。
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-0466 | KY3.4-5A | compat-openssl11 | Unaffected |
| CVE-2023-0466 | V6 | compat-openssl11 | Unaffected |
