Bug 1284927 - m2crypto does not support subject alternative name with IP address
m2crypto does not support subject alternative name with IP address
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: m2crypto (Show other bugs)
6.8
Unspecified Unspecified
low Severity low
: rc
: ---
Assigned To: Miloslav Trmač
BaseOS QE Security Team
https://github.com/martinpaljak/M2Cry...
:
Depends On: 1080142
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-24 08:22 EST by Stanislav Zidek
Modified: 2017-12-06 07:14 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1080142
Environment:
Last Closed: 2017-12-06 07:14:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stanislav Zidek 2015-11-24 08:22:26 EST
+++ This bug was initially created as a clone of Bug #1080142 +++

Same problem exists in RHEL-6 (m2crypto-0.20.2-9.el6). Problem fixed in upstream. Cloning the bug for reference (see bz1080142#c3).

Description of problem:
When m2crypto client connects to a server specified only by IP address, the verification of certificate fails

How reproducible:
Always

Steps to Reproduce:
1. Create a CA and sing certificate with SAN pointing to 127.0.0.1
2. Start s_server with the certificate
3. connect to local s_server using 127.0.0.1 as the hostname

Actual results:
LOOP: SSL connect: before/connect initialization
LOOP: SSL connect: SSLv2/v3 write client hello A
LOOP: SSL connect: SSLv3 read server hello A
LOOP: SSL connect: SSLv3 read server certificate A
LOOP: SSL connect: SSLv3 read server key exchange A
LOOP: SSL connect: SSLv3 read server done A
LOOP: SSL connect: SSLv3 write client key exchange A
LOOP: SSL connect: SSLv3 write change cipher spec A
LOOP: SSL connect: SSLv3 write finished A
LOOP: SSL connect: SSLv3 flush data
LOOP: SSL connect: SSLv3 read server session ticket A
LOOP: SSL connect: SSLv3 read finished A
INFO: SSL connect: SSL negotiation finished successfully
Traceback (most recent call last):
  File "sni.py", line 48, in <module>
    s.connect((host, port))
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 188, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.py", line 98, in __call__
    fieldName='subjectAltName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match host, expected 127.0.0.1, got DNS:wronghostname.com, DNS:example.com, DNS:evenmoreincorrectname.com, IP Address:127.0.0.1
ALERT: write: warning: close notify

Expected results:
Successful connection to server

--- Additional comment from Hubert Kario on 2014-03-31 18:50:48 CEST ---

Issue of course affects all released versions, so after it is implemented upstream, we will have to consider backporting it to earlier releases.
Comment 2 Jan Kurik 2017-12-06 07:14:19 EST
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/

Note You need to log in before you can comment on or make changes to this bug.