Our client application uses cURL-7.19.7 + openssl-0.9.8l to transfer
text files via HTTPS, using server-only authentication. The only call
the cURL source makes to an openssl d2i_*_bio() or d2i_*_fp() function
is d2i_PKCS12_fp(). Unfortunately, it is not absolutely clear - yet -
that a PKCS#12-related function would have anything to do with a SSL
hand-shake sequence, which is the only time I surmise the CVE-2012-2110
vulnerability applies in this scenario. Now, I DO surmise - although
not having found it definitively stated anywhere - that the HTTPS server
does follow the ServerHello message by sending it's certificate in ASN.1
representation in the Certificate message, and, not in any other
representation. And, since I understand that the code for parsing ASN.1
is the heart of the vulnerability, I'm very much inclined to act as if
CVE-2012-2110 applies to our application. I do, however, want clarity
regarding this issue: Can someone make this glaringly clear for me?
