| # OpenSSL Advisory: March 28th, 2023 |
| |
| OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20230328.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2023-0465 | Invalid certificate policies in leaf certificates are silently ignored | Low | Fixed [December 2022](https://boringssl.googlesource.com/boringssl/+/d1b20a9580aebb6fbb0b1b2408cf1221d83afb71) |
| CVE-2023-0466 | Certificate policy check not enabled | Low | See discussion below |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
| |
| ## CVE-2023-0465 |
| |
| We discovered this issue while working on the X.509 implementation in BoringSSL. This was fixed in BoringSSL on [December 20, 2022](https://boringssl.googlesource.com/boringssl/+/d1b20a9580aebb6fbb0b1b2408cf1221d83afb71). Applications that enable policy validation should update to `d1b20a9580aeb` or later. |
| |
| Policy validation is enabled if one of the following APIs is used: |
| |
| * `X509_VERIFY_PARAM_set1_policies` |
| * `X509_V_FLAG_POLICY_CHECK` |
| * `X509_V_FLAG_EXPLICIT_POLICY` |
| * `X509_V_FLAG_INHIBIT_ANY` |
| * `X509_V_FLAG_INHIBIT_MAP` |
| |
| ## CVE-2023-0466 |
| |
| We discovered this issue while working on the X.509 implementation in BoringSSL. The `X509_VERIFY_PARAM_add0_policy` function, contrary to its documentation in OpenSSL, does not implicitly enable policy validation. OpenSSL opted to leave the function’s behavior unchanged and update the documentation. |
| |
| Applications that call `X509_VERIFY_PARAM_add0_policy` and do not use one of the above APIs should explicitly call `X509_VERIFY_PARAM_set_flags` with `X509_V_FLAG_POLICY_CHECK` if the intent was to enable policy validation. |
| |
| Future revisions of BoringSSL may enable policy validation unconditionally to address some [issues with critical extensions](https://bugs.chromium.org/p/boringssl/issues/detail?id=557), which will make this moot. |
| |
| *January 27th, 2026 addendum: Policy validation was enabled unconditionally in BoringSSL shortly after this advisory was published, on [March 30th, 2023](https://boringssl.googlesource.com/boringssl/+/28226f584e8fb65eb8730721dcb5001f2a072efc).* |