+++ This bug was initially created as a clone of Bug #1364444 +++ Description of problem: Python fails to decode X.509 certificate with a GEN_RID general name in subject alternative names. The problem makes it impossible to verify that a server certificate matches a host name. On the other hand registered id are required for SearchGuard 2.x with Elasticsearch 2.x. #1364268 has more information. Version-Release number of selected component (if applicable): All versions of Python in RHEL and Fedora are affected. How reproducible: The bug can be reproduced with any certificate that has a registered id (GEN_RID) in the X509v3 subject alt name extension. Steps to Reproduce: 1. Download rid.pem from https://bugs.python.org/issue27691 2. python -c "import _ssl; print(_ssl._test_decode_cert('rid.pem'))" Actual results: Traceback (most recent call last): File "<string>", line 1, in <module> SystemError: error return without exception set Expected results: {'OCSP': ('http://acme.test/ca/ocsp/tls-server-ca',), 'serialNumber': '01', 'crlDistributionPoints': ('http://acme.test/ca/tls-server-ca.crl',), 'version': 3, 'caIssuers': ('http://acme.test/ca/tls-server-ca.cer',), 'notAfter': 'Aug 5 09:13:13 2018 GMT', 'subjectAltName': (('Registered ID', '1.2.3.4.5.5'), ('DNS', 'localhost'), ('IP Address', '127.0.0.1'), ('IP Address', '0:0:0:0:0:0:0:1\n')), 'subject': ((('countryName', 'XX'),), (('organizationName', 'Acme Corp'),), (('organizationalUnitName', 'Acme Users'),), (('commonName', 'localhost'),)), 'issuer': ((('countryName', 'XX'),), (('organizationName', 'Acme Corp'),), (('organizationalUnitName', 'Acme Certificate Authority'),), (('commonName', 'Acme TLS Server CA'),)), 'notBefore': 'Aug 5 09:13:13 2016 GMT'} Additional info: The root cause of the Python bug is a bug in OpenSSL's GENERAL_NAME_print() function, see #1364268. The ticket on Python's bug tracker has a fix with unit tests. --- Additional comment from Red Hat Bugzilla Rules Engine on 2016-08-05 07:26:30 EDT --- Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. --- Additional comment from Petr Viktorin on 2016-08-08 05:04:29 EDT --- Fixing Python tracker ID. I plan to add devel_ack as soon as the patch is upstream.
This is fixed in Python 2.7.13rc1 The final release will be out in approximately two weeks.
Python 2 is at version 2.7.13 (where this fix is contained) for all the current Fedora branches, so this issue is resolved.