You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CWE-295 in go SDK,client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authenticated.
#41175
Closed
wangting1995 opened this issue
Sep 2, 2020
· 3 comments
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (go env)?
go env Output
$ go env
What did you do?
A certification validation error occurred when using Defensics Fuzz that is a tool for checking security vulnerabilities to test the gRPC service port with SSL authentation.
We have used the Defensics Fuzz Testing Tool to test the grpc service port. The tool distorted the client certificate signature content and tried to establish communication. The packet capture showed that the client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authentication.
We highly suspected it that a flaw in Go language tls authentication
Please confirm whether the go language has this error?
What did you expect to see?
authentication failed
What did you see instead?
authentication passed
The text was updated successfully, but these errors were encountered:
wangting1995
changed the title
We have used the Synopsys Defensics tool to test the grpc service port. The tool distorted the client certificate signature content and tried to establish communication. The packet capture showed that the client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authenticated. Please confirm whether the go language has this error?
CWE-295 in go SDK,client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authenticated.
Sep 2, 2020
@wangting1995 without a way to reproduce your issue we cannot investigate. Please update the issue to include a self contained program that demonstrates the issue. Thank you.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
A certification validation error occurred when using Defensics Fuzz that is a tool for checking security vulnerabilities to test the gRPC service port with SSL authentation.
We have used the Defensics Fuzz Testing Tool to test the grpc service port. The tool distorted the client certificate signature content and tried to establish communication. The packet capture showed that the client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authentication.
We highly suspected it that a flaw in Go language tls authentication
Please confirm whether the go language has this error?
What did you expect to see?
authentication failed
What did you see instead?
authentication passed
The text was updated successfully, but these errors were encountered: