When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
If the server enables TLS client authentication using certificates (this is
rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
then a malicious client can falsely assert ownership of any client
certificate it wishes.
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
If the server enables TLS client authentication using certificates (this is
rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
then a malicious client can falsely assert ownership of any client
certificate it wishes.
This is CVE-2014-7189, fixed in Go 1.3.2 by https://go.dev/cl/148080043.
Announcement: https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ
Issue filed retroactively for the vulnerability database.
The text was updated successfully, but these errors were encountered: