Security details in SwiftNIO SSL

OpenSSL published a security update today addressing CVE-2020-1971, a null pointer dereference in the X.509 library. As BoringSSL has not changed the X.509 implementation since the fork from OpenSSL, this issue does affect BoringSSL.

Happily, the issue does not affect SwiftNIO SSL in any release. This issue occurs only when using CRLs to validate X.509 certificates. SwiftNIO SSL does not support CRLs and never retrieves them, so it is not subject to this issue. As a result there is no security impact to SwiftNIO SSL users.

5 Likes