Description
TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth exemption that allows an empty/absent peer certificate was only intended for the initial handshake, but it was also being applied while a post-handshake CertificateRequest was still outstanding. The check is now scoped to the initial handshake only: on the server, once a post-handshake CertificateRequest has been sent (certReqCtx is set), a peer certificate and a valid CertificateVerify are required again before the Finished is accepted, with empty-certificate handling following the configured verify mode (FAIL_IF_NO_PEER_CERT) just as during first-handshake client authentication. Only affects TLS 1.3 servers built with post-handshake authentication support (WOLFSSL_POST_HANDSHAKE_AUTH / --enable-postauth, included in --enable-all) that enable WOLFSSL_VERIFY_POST_HANDSHAKE and request a client certificate after the handshake via wolfSSL_request_certificate(). Clients, and servers that do not use post-handshake authentication, are unaffected.
Published: 2026-06-25
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A TLS 1.3 server using wolfSSL can accept the client’s Finished message even when the client has not provided a Certificate or CertificateVerify after a post‑handshake CertificateRequest. This bypasses the intended authentication step, allowing an unauthenticated client to proceed through the handshake and potentially gain unauthorized access to protected services, thereby exposing the confidentiality and integrity of the session. The weakness is a CWE‑287 authentication failure.

Affected Systems

The flaw impacts wolfSSL servers that are compiled with post‑handshake authentication support (WOLFSSL_POST_HANDSHAKE_AUTH or the enable‑all option) and that request a client certificate after the initial handshake via wolfSSL_request_certificate(). Clients and servers that do not use post‑handshake authentication are unaffected. No specific product version is listed, so all builds that enable the feature may be vulnerable.

Risk and Exploitability

The CVSS score of 6 indicates moderate risk, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the issue from the client side1.3 session with a vulnerable server, causing the server to accept a Finished message without authenticating the client. Because the flaw does not require special privileges, a remote attacker can trigger it simply by connecting to the server and requesting a post‑handshake certificate. The vulnerability is mitigated in newer versions of wolfSSL where the Finished validation is scoped to the initial handshake only.

Generated by OpenCVE AI on June 25, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wolfSSL to a version that includes the post‑handshake authentication check improvement
  • Recompile the server with post‑handshake authentication disabled (remove the WOLFSSL_POST_HANDSHAKE_AUTH compile flag) or avoid requesting post‑handshake certificates if they are not required
  • Review application logic to ensure wolfSSL_request_certificate() is called only when a client certificate is truly needed; disable or remove unnecessary post‑handshake CertificateRequests

Generated by OpenCVE AI on June 25, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4683-1 wolfssl security update
History

Fri, 26 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth exemption that allows an empty/absent peer certificate was only intended for the initial handshake, but it was also being applied while a post-handshake CertificateRequest was still outstanding. The check is now scoped to the initial handshake only: on the server, once a post-handshake CertificateRequest has been sent (certReqCtx is set), a peer certificate and a valid CertificateVerify are required again before the Finished is accepted, with empty-certificate handling following the configured verify mode (FAIL_IF_NO_PEER_CERT) just as during first-handshake client authentication. Only affects TLS 1.3 servers built with post-handshake authentication support (WOLFSSL_POST_HANDSHAKE_AUTH / --enable-postauth, included in --enable-all) that enable WOLFSSL_VERIFY_POST_HANDSHAKE and request a client certificate after the handshake via wolfSSL_request_certificate(). Clients, and servers that do not use post-handshake authentication, are unaffected.
Title TLS 1.3 post-handshake authentication: server accepts Finished without client Certificate/CertificateVerify
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-26T10:31:12.017Z

Reserved: 2026-06-17T22:10:55.453Z

Link: CVE-2026-55962

cve-icon Vulnrichment

Updated: 2026-06-26T10:30:49.929Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:30:16Z

Weaknesses