GHSA-857q-xmph-p2v5: s2n-tls's mTLS API ordering may skip client authentication

August 9, 2024

An API ordering issue in s2n-tls can cause client authentication to unexpectedly not be enabled on the server when it otherwise appears to be. Server applications are impacted if client authentication is enabled by calling s2n_connection_set_config() before calling s2n_connection_set_client_auth_type().

Applications are not impacted if these APIs are called in the opposite order, or if client authentication is enabled on the config with s2n_config_set_client_auth_type(). s2n-tls clients verifying server certificates are not impacted.

Impacted versions: < v1.5.0.

References

github.com/advisories/GHSA-857q-xmph-p2v5
github.com/aws/s2n-tls
github.com/aws/s2n-tls/commit/e8ca8911c5b2f2361687dec1467c45cd54d00b3f
github.com/aws/s2n-tls/security/advisories/GHSA-857q-xmph-p2v5

Code Behaviors & Features

Detect and mitigate GHSA-857q-xmph-p2v5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →