You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
tls security
About this tag
The TLS security tag on WindowsForum.com covers vulnerabilities and trust-store management issues in TLS implementations. Topics include certificate validation bugs in Mbed TLS (CVE-2020-36478) and Go's crypto/x509 on macOS (CVE-2022-27536), a denial-of-service flaw in Rustls causing infinite loops during handshakes, and the removal of e-Tugra root certificates from Certifi (CVE-2023-37920) which created availability trade-offs. These discussions focus on patching, dependency chains, and real-world impacts on software ecosystems and infrastructure. The tag is relevant for developers, IT administrators, and security professionals managing TLS-dependent systems.
Microsoft and SAP are accelerating enterprise post-quantum cryptography plans, with Microsoft moving its Quantum Safe Program toward a 2029 transition for its services and products while SAP adds hybrid post-quantum key exchange to TLS connections in SAP HANA cloud systems now.
The news...
Microsoft’s Security Update Guide entry for CVE-2026-42013 describes a GnuTLS certificate-validation flaw in which an oversized Subject Alternative Name can make validation fall back to the certificate Common Name, potentially enabling spoofing or man-in-the-middle attacks against software that...
Microsoft’s Security Update Guide entry for CVE-2026-42012 describes a GnuTLS certificate-validation bypass, published in late May 2026, in which certificates carrying URI or SRV Subject Alternative Names can be mishandled and accepted through a fallback to Common Name hostname checks in...
Mbed TLS contained a certificate‑validation bug that could let certain malformed certificates be accepted as valid — a subtle but consequential lapse in the X.509 verification logic that affected multiple branches of the library and required coordinated package updates and rebuilds across the...
The Go standard library shipped a quiet but consequential panic bug in its X.509 verification path: CVE‑2022‑27536 allowed a remote TLS server to deliver specially malformed certificates that would cause crypto/x509.Certificate.Verify to panic on macOS, crashing TLS clients built with Go 1.18.0...
Certifi’s decision to remove e‑Tugra root certificates—tracked as CVE‑2023‑37920—was a corrective security action that rippled across software ecosystems and vendor supply chains, but it also exposed a practical tension: removing a distrusted root protects integrity while simultaneously risking...
Rustls—the widely used, memory-safe TLS library written in Rust—contains a denial‑of‑service design flaw: under a specific, easily reproducible handshake sequence a blocking rustls server can enter an infinite loop inside rustls::conn::ConnectionCommon::complete_io(), consuming CPU and...