OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2023-0465 | Invalid certificate policies in leaf certificates are silently ignored | Low | Fixed December 2022 |
| CVE-2023-0466 | Certificate policy check not enabled | Low | See discussion below |
We discovered this issue while working on the X.509 implementation in BoringSSL. This was fixed in BoringSSL on December 20, 2022. Applications that enable policy validation should update to d1b20a9580aeb or later.
Policy validation is enabled if one of the following APIs is used:
X509_VERIFY_PARAM_set1_policiesX509_V_FLAG_POLICY_CHECKX509_V_FLAG_EXPLICIT_POLICYX509_V_FLAG_INHIBIT_ANYX509_V_FLAG_INHIBIT_MAPWe discovered this issue while working on the X.509 implementation in BoringSSL. The X509_VERIFY_PARAM_add0_policy function, contrary to its documentation in OpenSSL, does not implicitly enable policy validation. OpenSSL opted to leave the function’s behavior unchanged and update the documentation.
Applications that call X509_VERIFY_PARAM_add0_policy and do not use one of the above APIs should explicitly call X509_VERIFY_PARAM_set_flags with X509_V_FLAG_POLICY_CHECK if the intent was to enable policy validation.
Future revisions of BoringSSL may enable policy validation unconditionally to address some issues with critical extensions, which will make this moot.
January 27th, 2026 addendum: Policy validation was enabled unconditionally in BoringSSL shortly after this advisory was published, on March 30th, 2023.