Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 112275 - Applications using OpenSSL crash when handling certs with Subject Alternative Name fields
Applications using OpenSSL crash when handling certs with Subject Alternative...
Status: CLOSED DUPLICATE of bug 111492
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openldap (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2003-12-16 18:14 EST by Jason Heiss
Modified: 2007-11-30 17:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 14:00:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jason Heiss 2003-12-16 18:14:26 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030922

Description of problem:
Applications using OpenSSL libraries crash when handling certs with
Subject Alternative Name fields.  subjectAltName fields (as OpenSSL
refers to them) allow you to define aliases for the server's hostname
in addition to the main hostname specified in the CN field of the
cert.  We use this on our LDAP server certificates.  The CN field has
the FQDN of the server and then we have subjectAltName entries like
'ldap.ee.washington.edu' (all servers) and 'ldap1.ee.washington.edu'.
 The servers are behind a load balancer, so the
'ldap.ee.washington.edu' allows clients to hit any server and have the
hostname match.

When we turn SSL on in an application that uses LDAP the application
segfaults.  If we switch the server to an SSL certificate without the
subjectAltName fields it works.

We see this behavior with the OpenLDAP command line tools
(ldapsearch), nss_ldap and a Samba server configured for LDAP.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
% ldapsearch -x -ZZ -h ldap.ee.washington.edu uid=temp1
Segmentation fault
% ldapsearch -x -h ldap.ee.washington.edu uid=temp1
<Normal output>

Additional info:

I believe this is the same problem described in bug 85728, which was
filed against Red Hat 9.  That bug report contains a patch submitted
by a user.
Comment 1 Jason Heiss 2003-12-18 12:07:48 EST
After re-reading the older bug report and experimenting with
lynx/links and openssl s_client I guess the problem isn't solely with
OpenSSL but the OpenSSL/OpenLDAP interface.  lynx/links and openssl
s_client seem to work fine against our LDAP server, so I guess it is
more LDAP specific.
As such I'm changing the component in this bug report to openldap.
Comment 2 Jason Heiss 2004-01-22 16:03:39 EST

*** This bug has been marked as a duplicate of 111492 ***
Comment 3 Red Hat Bugzilla 2006-02-21 14:00:26 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.