oss-sec mailing list archives

CVE-2025-23419: nginx: Client certificate authentication bypass with TLSv1.3 and session resumption

From: Solar Designer <solar () openwall com>
Date: Wed, 5 Feb 2025 18:35:29 +0100

----- Forwarded message from F5SIRT via nginx-announce <nginx-announce () nginx org> -----

To: "nginx-announce () nginx org" <nginx-announce () nginx org>
Date: Wed, 5 Feb 2025 17:23:12 +0000
Subject: [nginx-announce] nginx security advisory (CVE-2025-23419)
From: F5SIRT via nginx-announce <nginx-announce () nginx org>
Reply-To: F5SIRT <f5sirt () F5 com>

A problem with SSL session resumption in nginx was identified.
It was possible to reuse SSL sessions in named-based
virtual hosts in unrelated contexts, allowing to bypass client
certificate authentication in some configurations (CVE-2025-23419).

The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.

The problem is fixed in 1.26.3 and 1.27.4.
_______________________________________________
nginx-announce mailing list
nginx-announce () nginx org
https://mailman.nginx.org/mailman/listinfo/nginx-announce

----- End forwarded message -----

Current thread:

CVE-2025-23419: nginx: Client certificate authentication bypass with TLSv1.3 and session resumption Solar Designer (Feb 05)