You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
certificateverify
About this tag
The certificateverify tag covers discussions about the CertificateVerify message in TLS handshakes, particularly security vulnerabilities that allow signature or digest downgrade attacks. Recent threads detail CVE-2025-11934, a flaw in wolfSSL TLS 1.3 where a server can negotiate a weaker ECDSA curve than the client preferred during CertificateVerify, and CVE-2025-12889, a TLS 1.2 bug letting a client choose a weaker message digest than requested during client-certificate authentication. Both were fixed in wolfSSL 5.8.4. These topics are relevant for developers and IT professionals managing TLS implementations and certificate-based authentication.
wolfSSL disclosed a protocol‑validation flaw tracked as CVE‑2025‑11934 that can let a TLS 1.3 handshake inadvertently downgrade the signature algorithm used for CertificateVerify, enabling a server‑side negotiation to settle on a weaker ECDSA curve than the client originally preferred — a...
A newly recorded flaw in TLS 1.2 implementations lets a client deliberately choose a weaker message digest than the server requested during client-certificate authentication — a subtle but real violation of the TLS 1.2 handshake rules that has been cataloged as CVE-2025-12889 and fixed in the...