OpenSSL Raw Public Key Authentication Vulnerability Allowing Man-in-the-Middle Attacks

A vulnerability exists in OpenSSL versions 3.4, 3.3, and 3.2, where clients using RFC7250 Raw Public Keys (RPKs) for server authentication may fail to detect when a server is not authenticated. This issue arises because the handshake process does not terminate as expected when the SSL_VERIFY_PEER verification mode is enabled. As a result, TLS and DTLS connections that utilize raw public keys could be susceptible to man-in-the-middle attacks, with clients not recognizing server authentication failures. This vulnerability was introduced in OpenSSL 3.2's initial RPK implementation and does not affect the FIPS modules in OpenSSL 3.4, 3.3, 3.2, 3.1, and 3.0, nor OpenSSL versions 1.1.1 and 1.0.2.

Impact

Exploitation of this vulnerability could lead to unauthorized interception and modification of communications, as clients may unknowingly accept unauthenticated responses from servers.

Reproduction

To reproduce this vulnerability, establish a TLS or DTLS connection with a server that sends a raw public key instead of an X.509 certificate chain. The client must have raw public key authentication enabled and rely on the handshake to verify the server's key. When the server's key does not match the expected public keys, the handshake should fail, but due to this vulnerability, it will not. Instead, the client can call SSL_get_verify_result() to check the verification status, but this step is not automatic and must be done manually.

Remediation

Users of OpenSSL 3.4 should upgrade to version 3.4.1, those on 3.3 should upgrade to 3.3.3, and OpenSSL 3.2 users should upgrade to 3.2.4.