SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions

medium Nessus Plugin ID 56284
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

An X.509 certificate in the chain used by this service fails to adhere to all of its basic constraints and key usage extensions.

Description

An X.509 certificate sent by the remote host contains one or more violations of the restrictions imposed on it by RFC 5280. This means that either a root or intermediate Certificate Authority signed a certificate incorrectly.

Certificates that fail to adhere to the restrictions in their extensions may be rejected by certain software. The existence of such certificates indicates either an oversight in the signing process, or malicious intent.

Solution

Alter the offending certificate's extensions and have it signed again.

See Also

http://www.ietf.org/rfc/rfc5280.txt

Plugin Details

Severity: Medium

ID: 56284

File Name: ssl_basic_constraints.nasl

Version: Revision: 1.10

Type: remote

Family: General

Published: 9/23/2011

Updated: 12/14/2016

Dependencies: ssl_certificate_chain.nasl

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

Required KB Items: SSL/Chain/Extension/BasicConstraints