VYPR
← All advisories
Moderate severityNVD Advisory· Published May 3, 2022· Updated May 5, 2025

OCSP_basic_verify may incorrectly verify the response signing certificate

CVE-2022-1343

Description

The function OCSP_basic_verify verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of OCSP_basic_verify will not use the OCSP_NOCHECKS flag. In this case the OCSP_basic_verify function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

When the non-default OCSP_NOCHECKS flag is used, OpenSSL's OCSP_basic_verify returns success even if the signing certificate fails verification.

Vulnerability

The function OCSP_basic_verify in OpenSSL versions 3.0.0, 3.0.1, and 3.0.2 incorrectly handles the non-default OCSP_NOCHECKS flag. When this flag is set, the function returns a positive result (indicating successful verification) even when the response signing certificate fails to verify. The command line ocsp application with the "-no_cert_checks" option is similarly affected. [1][2]

Exploitation

An attacker does not need authentication or special network position. To trigger the bug, the OCSP verifying application must explicitly pass the OCSP_NOCHECKS flag to OCSP_basic_verify, or the OCSP command must be invoked with the "-no_cert_checks" option. When that non-default flag is used, the function returns a success indicator despite the underlying certificate validation failure. The responsible code path is reachable without user interaction. [1][2]

Impact

A successful exploitation causes the OCSP response verification to incorrectly report success. This can lead to acceptance of an invalid or malicious OCSP response, undermining certificate revocation checks. The impact is on integrity, as a failed verification is reported as successful, potentially allowing a revoked or unauthorized certificate to be accepted. No confidentiality or availability impact is described. [1][2]

Mitigation

OpenSSL 3.0.3, released on 3 May 2022, fixes this vulnerability. Users of affected OpenSSL 3.0.0 through 3.0.2 should upgrade to 3.0.3. For the Rust openssl-src crate, versions >= 300.0.6 contain the fix, while versions prior to 300.0 are unaffected. The default code paths (without the OCSP_NOCHECKS flag) are not vulnerable. [1][2][4]

References
  1. NVD - CVE-2022-1343
  2. https://www.openssl.org/news/secadv/20220503.txt
  3. `OCSP_basic_verify` may incorrectly verify the response signing certificate › RustSec Advisory Database

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
openssl-srccrates.io
>= 300.0.0, < 300.0.6300.0.6

Affected products

18

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.