TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth exemption that allows an empty/absent peer certificate was only intended for the initial handshake, but it was also being applied while a post-handshake CertificateRequest was still outstanding. The check is now scoped to the initial handshake only: on the server, once a post-handshake CertificateRequest has been sent (certReqCtx is set), a peer certificate and a valid CertificateVerify are required again before the Finished is accepted, with empty-certificate handling following the configured verify mode (FAIL_IF_NO_PEER_CERT) just as during first-handshake client authentication. Only affects TLS 1.3 servers built with post-handshake authentication support (WOLFSSL_POST_HANDSHAKE_AUTH / --enable-postauth, included in --enable-all) that enable WOLFSSL_VERIFY_POST_HANDSHAKE and request a client certificate after the handshake via wolfSSL_request_certificate(). Clients, and servers that do not use post-handshake authentication, are unaffected.
References
| Link | Resource |
|---|---|
| https://github.com/wolfSSL/wolfssl/pull/10702 | Issue Tracking Patch |
| https://www.wolfssl.com/docs/security-vulnerabilities/ | Vendor Advisory |
Configurations
History
27 Jun 2026, 19:57
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Wolfssl wolfssl
Wolfssl |
|
| CPE | cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| References | () https://github.com/wolfSSL/wolfssl/pull/10702 - Issue Tracking, Patch | |
| References | () https://www.wolfssl.com/docs/security-vulnerabilities/ - Vendor Advisory | |
| CWE | NVD-CWE-noinfo |
25 Jun 2026, 22:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-25 22:17
Updated : 2026-06-27 19:57
NVD link : CVE-2026-55962
Mitre link : CVE-2026-55962
CVE.ORG link : CVE-2026-55962
JSON object : View
Products Affected
wolfssl
- wolfssl
CWE
