You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
If the server enables TLS client authentication using certificates (this is
rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
then a malicious client can falsely assert ownership of any client
certificate it wishes.
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
If the server enables TLS client authentication using certificates (this is
rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
then a malicious client can falsely assert ownership of any client
certificate it wishes.
This is CVE-2014-7189, fixed in Go 1.3.2 by https://go.dev/cl/148080043.
Announcement: https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ
Issue filed retroactively for the vulnerability database.
The text was updated successfully, but these errors were encountered: