Hi cafe, this is a security advisory for tls-extra < 0.6.1 which are all vulnerable to bad certificate validation.
Some part of the certificate validation procedure were missing (relying on the work-in-progress x509 v3 extensions), and because of this anyone with a correct end-entity certificate can issue certificate for any arbitrary domain, i.e. acting as a CA. This problem has been fixed in tls-extra 0.6.1, and I advise everyone to upgrade as soon as possible. Despite a very serious flaw in the certificate validation, I'm happy that the code is seeing some audits, and would want to thanks Ertugrul Söylemez for the findings [1]. [1] https://github.com/vincenthz/hs-tls/issues/29 -- Vincent _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
