Medium severity5.3NVD Advisory· Published Apr 27, 2017· Updated May 13, 2026

CVE-2017-8301

Description

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.

Affected products

OpenBSD/Libressl3 versions
cpe:2.3:a:openbsd:libressl:2.5.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:openbsd:libressl:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:libressl:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:libressl:2.5.3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/libressl-portable/portable/issues/307nvdIssue TrackingPatchThird Party Advisory
trac.nginx.org/nginx/ticket/1257nvdIssue TrackingPatchThird Party Advisory
seclists.org/oss-sec/2017/q2/145nvdMailing ListThird Party Advisory
www.securityfocus.com/bid/98076nvdThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000