CVE-2026-45389

Vulnerability

In OCaml-TLS versions prior to 2.1.0, the server implementation does not validate the KeyUsage and ExtendedKeyUsage extensions of client certificates when mutual TLS (mTLS) is enabled. This allows a certificate that is not intended for client authentication (e.g., one with serverAuth only) to be accepted as a valid client certificate. The bug resides in the certificate chain validation logic, which checks the trust anchor but ignores the intended usage constraints defined in the certificate extensions [1].

Exploitation

An attacker needs a valid certificate signed by a trust anchor that the server accepts (e.g., a corporate CA or a public CA). The attacker presents a certificate that was issued for server authentication (e.g., with ExtendedKeyUsage set to id-kp-serverAuth and lacking id-kp-clientAuth) to the OCaml-TLS mTLS listener. The library performs chain validation against the trust store but does not verify that the certificate's KeyUsage includes digitalSignature or that ExtendedKeyUsage includes clientAuth. The handshake completes, and the attacker is authenticated as a client [1].

Impact

An attacker can impersonate a legitimate client at any OCaml-TLS service that requires mTLS. This can lead to unauthorized access to protected resources, such as administrative endpoints or sensitive data. The attacker does not need to compromise the CA or any legitimate client; any server certificate under the same trust store can be repurposed as a client certificate. The impact is especially severe when the trust store includes public CAs, as any publicly issued TLS server certificate (e.g., from Let's Encrypt) can be used [1].

Mitigation

The vulnerability is fixed in OCaml-TLS version 2.1.0. Users should upgrade to this version or later. No workaround is available for earlier versions. Administrators should also review their trust store configuration to minimize the risk of accepting unintended certificates [1].