|Summary:||[RFE] openssl 1.0.1e-fips 11 Feb 2013 does not allow validation of common name against host name|
|Product:||[Fedora] Fedora||Reporter:||pjp <pj.pandit>|
|Component:||openssl||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED DEFERRED||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-11-04 12:39:45 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description pjp 2014-11-04 08:56:39 UTC
Description of problem: With current openssl version 1.0.1e-fips 11 Feb 2013, it is not possible to ensure that the certificate is actually issued for the server in question. i.e. by verifying the common name against the host name. This can be easily done with OpenSSL 1.1, but older releases require to do this in the application. Therefore the code from OpenSSL 1.1 needs to be back ported to the older OpenSSL in Fedora or into ssmtp itself. Please see -> https://bugzilla.redhat.com/show_bug.cgi?id=864897#c12 Could this support be provided in older version of Openssl? Or should applications handle it at their end? Thank you.
Comment 1 Tomas Mraz 2014-11-04 09:03:24 UTC
I don't think it makes much sense to backport this support as it would be impossible for applications to depend on it anyway unless the support is backported in all the major distributions. So that basically means that applications have to handle this by themselves anyway. Once the upstream package with the new API is released, we will rebase in Fedora as well.
Comment 2 pjp 2014-11-04 10:12:45 UTC
(In reply to Tomas Mraz from comment #1) > impossible for applications to depend on it anyway unless the support is > backported in all the major distributions. Well, at least packages in Fedora would be able to use it, no? > Once the upstream package with the new API is released, we will rebase in > Fedora as well. Don't we push the latest upstream release as is? Why rebase? (just checking) Thank you.
Comment 3 Tomas Mraz 2014-11-04 10:29:05 UTC
We have multiple patches on top of the upstream version so that's why it is called rebase. Even if on Fedore the apps could use the API they would still need to implement their own checking as the API would not be universally present so except for Fedora only apps, this feature would not help much.
Comment 4 pjp 2014-11-04 12:22:55 UTC
I see. Well, I was thinking of an universal upstream fix and not a Fedora specific one. Are you in contact with the upstream developers? Could you please let them know about? For the packages I maintain I usually send such requests to upstream developers.
Comment 5 Tomas Mraz 2014-11-04 12:39:45 UTC
There is a clear policy of patch addition and maintenance of upstream version branches so there is no chance of such backport to have an official upstream status.