Bug 1402154

Summary: Python fails to decode X.509 cert with GEN_RID subject alt name
Product: [Fedora] Fedora Reporter: Rich Megginson <rmeggins>
Component: pythonAssignee: Charalampos Stratakis <cstratak>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: bkabrda, bnater, cheimes, cstratak, dmalcolm, ivazqueznet, jonathansteffan, mhroncok, ncoghlan, pviktori, python-maint, qe-baseos-apps, rkuska, rmeggins, tomspur, torsava
Target Milestone: ---Keywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python2-2.7.13-1.fc26 python-2.7.13-1.fc25 python-2.7.13-1.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1364444 Environment:
Last Closed: 2017-01-26 10:03:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rich Megginson 2016-12-06 22:58:23 UTC 
+++ This bug was initially created as a clone of Bug #1364444 +++

Description of problem:
Python fails to decode X.509 certificate with a GEN_RID general name in subject alternative names. The problem makes it impossible to verify that a server certificate matches a host name. On the other hand registered id are required for SearchGuard 2.x with Elasticsearch 2.x. #1364268 has more information.

Version-Release number of selected component (if applicable):
All versions of Python in RHEL and Fedora are affected.

How reproducible:
The bug can be reproduced with any certificate that has a registered id (GEN_RID) in the X509v3 subject alt name extension.

Steps to Reproduce:
1. Download rid.pem from https://bugs.python.org/issue27691
2. python -c "import _ssl; print(_ssl._test_decode_cert('rid.pem'))"

Actual results:
Traceback (most recent call last):
  File "<string>", line 1, in <module>
SystemError: error return without exception set

Expected results:
{'OCSP': ('http://acme.test/ca/ocsp/tls-server-ca',), 'serialNumber': '01', 'crlDistributionPoints': ('http://acme.test/ca/tls-server-ca.crl',), 'version': 3, 'caIssuers': ('http://acme.test/ca/tls-server-ca.cer',), 'notAfter': 'Aug  5 09:13:13 2018 GMT', 'subjectAltName': (('Registered ID', '1.2.3.4.5.5'), ('DNS', 'localhost'), ('IP Address', '127.0.0.1'), ('IP Address', '0:0:0:0:0:0:0:1\n')), 'subject': ((('countryName', 'XX'),), (('organizationName', 'Acme Corp'),), (('organizationalUnitName', 'Acme Users'),), (('commonName', 'localhost'),)), 'issuer': ((('countryName', 'XX'),), (('organizationName', 'Acme Corp'),), (('organizationalUnitName', 'Acme Certificate Authority'),), (('commonName', 'Acme TLS Server CA'),)), 'notBefore': 'Aug  5 09:13:13 2016 GMT'}


Additional info:
The root cause of the Python bug is a bug in OpenSSL's GENERAL_NAME_print() function, see #1364268. The ticket on Python's bug tracker has a fix with unit tests.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2016-08-05 07:26:30 EDT ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Petr Viktorin on 2016-08-08 05:04:29 EDT ---

Fixing Python tracker ID.

I plan to add devel_ack as soon as the patch is upstream.
Comment 1 Charalampos Stratakis 2016-12-07 18:22:56 UTC 
This is fixed in Python 2.7.13rc1

The final release will be out in approximately two weeks.
Comment 2 Charalampos Stratakis 2017-01-26 10:03:43 UTC 
Python 2 is at version 2.7.13 (where this fix is contained) for all the current Fedora branches, so this issue is resolved.