Mitigation of Vulnerability CVE-2019-1552 in OpenSSL On Windows
search cancel

Mitigation of Vulnerability CVE-2019-1552 in OpenSSL On Windows


Article ID: 245418


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder)


CVE-2019-1552 "Windows builds with insecure path defaults"

OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix.



Siteminder Access Gateway: r12.8.x

Operating System: Windows Server

OpenSSL versions 1.0.2 are affected by this issue


Customers can now mitigate this by setting the Openssl supported OPENSSL_CONF environment variable to the desired and safe path.


set OPENSSL_CONF=C:\Program Files\CA\secure-proxy\SSL\bin\openssl.cnf

After the environment variable is set or exported, OpenSSL stops reading the configuration file OpenSSL.cnf from the default compiled path /usr/local/ssl, and starts to read from the set path (i.e. "C:\Program Files\CA\secure-proxy\SSL\bin\openssl.cnf").

Additional Information