CVE-2024-12797

Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a<br /> server may fail to notice that the server was not authenticated, because<br /> handshakes don&amp;#39;t abort as expected when the SSL_VERIFY_PEER verification mode<br /> is set.<br /> <br /> Impact summary: TLS and DTLS connections using raw public keys may be<br /> vulnerable to man-in-middle attacks when server authentication failure is not<br /> detected by clients.<br /> <br /> RPKs are disabled by default in both TLS clients and TLS servers. The issue<br /> only arises when TLS clients explicitly enable RPK use by the server, and the<br /> server, likewise, enables sending of an RPK instead of an X.509 certificate<br /> chain. The affected clients are those that then rely on the handshake to<br /> fail when the server&amp;#39;s RPK fails to match one of the expected public keys,<br /> by setting the verification mode to SSL_VERIFY_PEER.<br /> <br /> Clients that enable server-side raw public keys can still find out that raw<br /> public key verification failed by calling SSL_get_verify_result(), and those<br /> that do, and take appropriate action, are not affected. This issue was<br /> introduced in the initial implementation of RPK support in OpenSSL 3.2.<br /> <br /> The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.