Openssl && CVE-2022-0778
-
hi everyone,
I use HAProxy as a concentrator and as an element of TLS offloading. Regarding this problem of openssl libraries: CVE-2022-0778 is an update planned before the release of the new version of PfSense?
Thank you
-
Unless you require client certificates for authentication, it wouldn't typically be relevant to that role. When acting as a server the problem scenario would be if a client submits a maliciously crafted bad certificate. If HAProxy isn't configured to allow client certificates, no peer would have an opportunity to feed HAProxy such a bad certificate.
If you are doing TLS handoff to other TLS servers, then it could maybe get a bad cert from one of them, but if one of your own internal servers is compromised you have a lot more problems than a HAProxy DOS.
If HAProxy is doing TLS handoff to plain HTTP backends then there is no opportunity for that CVE to come into play that I'm aware of.
-
Perfect, very thanks !