Bug 112275 - Applications using OpenSSL crash when handling certs with Subject Alternative Name fields
Summary: Applications using OpenSSL crash when handling certs with Subject Alternative...
Keywords:
Status: CLOSED DUPLICATE of bug 111492
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openldap
Version: 3.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-12-16 23:14 UTC by Jason Heiss
Modified: 2007-11-30 22:06 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-21 19:00:26 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jason Heiss 2003-12-16 23:14:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030922

Description of problem:
Applications using OpenSSL libraries crash when handling certs with
Subject Alternative Name fields.  subjectAltName fields (as OpenSSL
refers to them) allow you to define aliases for the server's hostname
in addition to the main hostname specified in the CN field of the
cert.  We use this on our LDAP server certificates.  The CN field has
the FQDN of the server and then we have subjectAltName entries like
'ldap.ee.washington.edu' (all servers) and 'ldap1.ee.washington.edu'.
 The servers are behind a load balancer, so the
'ldap.ee.washington.edu' allows clients to hit any server and have the
hostname match.

When we turn SSL on in an application that uses LDAP the application
segfaults.  If we switch the server to an SSL certificate without the
subjectAltName fields it works.

We see this behavior with the OpenLDAP command line tools
(ldapsearch), nss_ldap and a Samba server configured for LDAP.


Version-Release number of selected component (if applicable):
openssl-0.9.7a-24

How reproducible:
Always

Steps to Reproduce:
% ldapsearch -x -ZZ -h ldap.ee.washington.edu uid=temp1
Segmentation fault
% ldapsearch -x -h ldap.ee.washington.edu uid=temp1
<Normal output>


Additional info:

I believe this is the same problem described in bug 85728, which was
filed against Red Hat 9.  That bug report contains a patch submitted
by a user.

Comment 1 Jason Heiss 2003-12-18 17:07:48 UTC
After re-reading the older bug report and experimenting with
lynx/links and openssl s_client I guess the problem isn't solely with
OpenSSL but the OpenSSL/OpenLDAP interface.  lynx/links and openssl
s_client seem to work fine against our LDAP server, so I guess it is
more LDAP specific.
As such I'm changing the component in this bug report to openldap.


Comment 2 Jason Heiss 2004-01-22 21:03:39 UTC

*** This bug has been marked as a duplicate of 111492 ***

Comment 3 Red Hat Bugzilla 2006-02-21 19:00:26 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.


Note You need to log in before you can comment on or make changes to this bug.