Red Hat Bugzilla – Bug 112275
Applications using OpenSSL crash when handling certs with Subject Alternative Name fields
Last modified: 2007-11-30 17:06:59 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030922
Description of problem:
Applications using OpenSSL libraries crash when handling certs with
Subject Alternative Name fields. subjectAltName fields (as OpenSSL
refers to them) allow you to define aliases for the server's hostname
in addition to the main hostname specified in the CN field of the
cert. We use this on our LDAP server certificates. The CN field has
the FQDN of the server and then we have subjectAltName entries like
'ldap.ee.washington.edu' (all servers) and 'ldap1.ee.washington.edu'.
The servers are behind a load balancer, so the
'ldap.ee.washington.edu' allows clients to hit any server and have the
When we turn SSL on in an application that uses LDAP the application
segfaults. If we switch the server to an SSL certificate without the
subjectAltName fields it works.
We see this behavior with the OpenLDAP command line tools
(ldapsearch), nss_ldap and a Samba server configured for LDAP.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
% ldapsearch -x -ZZ -h ldap.ee.washington.edu uid=temp1
% ldapsearch -x -h ldap.ee.washington.edu uid=temp1
I believe this is the same problem described in bug 85728, which was
filed against Red Hat 9. That bug report contains a patch submitted
by a user.
After re-reading the older bug report and experimenting with
lynx/links and openssl s_client I guess the problem isn't solely with
OpenSSL but the OpenSSL/OpenLDAP interface. lynx/links and openssl
s_client seem to work fine against our LDAP server, so I guess it is
more LDAP specific.
As such I'm changing the component in this bug report to openldap.
*** This bug has been marked as a duplicate of 111492 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.