Bug 1749068

Summary: OpenSSL generates malformed status_request extension in CertificateRequest message in TLS 1.3
Product: Red Hat Enterprise Linux 8 Reporter: Hubert Kario <hkario>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.0CC: elpereir, igkioka, mjahoda, pasik, tmraz
Target Milestone: rcKeywords: Triaged
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-1.1.1c-9.el8 Doc Type: Known Issue
Doc Text:
.OpenSSL generates a malformed `status_request` extension in the `CertificateRequest` message in TLS 1.3 OpenSSL servers send a malformed `status_request` extension in the `CertificateRequest` message if support for the `status_request` extension and client certificate-based authentication are enabled. In such case, OpenSSL does not interoperate with implementations compliant with the `RFC 8446` protocol. As a result, clients that properly verify extensions in the `CertificateRequest` message abort connections with the OpenSSL server. To work around this problem, disable support for the TLS 1.3 protocol on either side of the connection or disable support for `status_request` on the OpenSSL server. This will prevent the server from sending malformed messages.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:51:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hubert Kario 2019-09-04 19:31:12 UTC 
Description of problem:
when OpenSSL is set up to support status_request extension and ask for client certificates, the CertificateRequest message will include a malformed status_request extension (a copy of the one sent in Certificate message).

Additional info:
https://github.com/golang/go/issues/34040
bug 1737471

I have not tried to reproduce it with RHEL version, but given information from above bugs, it does look like RHEL's version of OpenSSL is also affected.
Comment 18 errata-xmlrpc 2020-04-28 16:51:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1840
Comment 20 Fedora Update System 2020-05-29 00:56:58 UTC 
FEDORA-EPEL-2020-ff94ccbdec has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.