Bug 1805132
| Summary: | socat does not recognize IP addresses of the SAN extensions in ssl mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Frank Büttner <bugzilla> |
| Component: | socat | Assignee: | Ondrej Moriš <omoris> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.2 | CC: | gerhard, omoris, pvrabec, sahana |
| Target Milestone: | rc | Keywords: | Patch, Rebase, Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | socat-1.7.4.1-1.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 17:48:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (socat bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4167 |
Description of problem: When using in ssl mode and the connection to the peer is done via an ip address and the ip address of the peer are in the san part of the x509 certificate, then the connection fails with: E certificate is valid but its commonName does not match hostname Version-Release number of selected component (if applicable): socat-1.7.3.2-2 How reproducible: Every every time Steps to Reproduce: 1. start socat on node B with the following command: socat -u openssl-listen:4445,reuseaddr,cert=/etc/pki/tls/certs/cert.pem,key=/etc/pki/tls/private/key.pem,cafile=/etc/pki/tls/certs/certificate_chain.crt stdio 2. start scocat on node A with: socat -d -d -d -u stdio openssl-connect:192.168.0.2:4445,cert=/etc/pki/tls/certs/cert.pem,key=/etc/pki/tls/private/key.pem,cafile=/etc/pki/tls/certs/certificate_chain.crt Actual results: The connection from node A to B fails with: E certificate is valid but its commonName Expected results: Working connetions Additional info: The certificate_chain.crt contains all needed intermediate certificates. cert.pem contain the IP addresses of both nodes in the SAN field. Running socat in debug mode shows, that only DNS fields of the SAN part are checked. But IP field are ignored. Here the SAN part of the certificate: X509v3 Subject Alternative Name: DNS:foo1.foo.foo, DNS:foo2.foo.foo, IP Address:192.168.0.1, IP Address:192.168.0.2 Debug log of socat: socat[45554] I commonName "foo1.foo.foo" does not match peername "192.168.0.2" socat[45554] I commonName "foo2.foo.foo" does not match peername "192.168.0.2" socat[45554] I commonName "foo3.foo.foo" does not match peername "192.168.0.2" socat[45554] E certificate is valid but its commonName does not match hostname socat[45554] N exit(1) socat[45554] I close(6) foo3 is the cn name of the certificate It looks like the IP addresses are not checked.