363591 – m2crypto in RHEL5 does not support multiple names on the same certificate

Bug 363591 - m2crypto in RHEL5 does not support multiple names on the same certificate

Summary: m2crypto in RHEL5 does not support multiple names on the same certificate

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	m2crypto
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Miloslav Trmač
QA Contact:
Docs Contact:
URL:	http://bugs.centos.org/view.php?id=2424
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-02 10:30 UTC by Johnny Hughes
Modified:	2013-04-12 19:25 UTC (History)
CC List:	2 users (show)
Fixed In Version:	RHBA-2008-0041
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-16 14:19:03 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2008:0041	0	normal	SHIPPED_LIVE	m2crypto bug fix and enhancement update	2008-01-16 14:18:55 UTC

Description Johnny Hughes 2007-11-02 10:30:01 UTC

Description of problem:
m2crypto-0.16-6.el5.1 in RHEL5 does not support multiple names on the same
certificate.

This was added in upstream version 0.18:
- support multiple dNSName fields in subjectAltName
- support multiple commonName fields for SSL peer hostname checking

Also see this CentOS bug:
http://bugs.centos.org/view.php?id=2424

Comment 1 Miloslav Trmač 2007-11-06 04:31:00 UTC

Thanks for your report.

Comment 6 Miloslav Trmač 2008-01-04 02:30:10 UTC

To test:

* mkdir d; cd d; cp /etc/pki/tls/openssl.cnf .
* edit openssl.cnf:
  - in [req_distinguished_name], replace commonName* with
    0.commonName                    = server name 1
    0.commonName_default            = cn0.example.com
    0.commonName_max                = 64
    1.commonName                    = server name 2
    1.commonName_default            = cn1.example.com
    1.commonName_max                = 64
    2.commonName                    = server name 3
    2.commonName_default            = cn2.example.com
    2.commonName_max                = 64
  - add to [v3_ca]:
    subjectAltName = DNS:san1.example.com, DNS:san2.example.com
* openssl genrsa 1024 > mycert.key
* yes '' | \
  openssl req -config ./openssl.cnf -new -key mycert.key -x509 -out mycert.crt 
* create test.py:
import sys

import M2Crypto.SSL.Checker as Checker
import M2Crypto.X509 as X509

def test(host, cert):
    c = Checker.Checker(host)
    try:
        c(cert)
        print 'OK'
    except Checker.SSLVerificationError, e:
        print 'Error: %s' % str(e)

cert = X509.load_cert(sys.argv[1])

while True:
    try:
        host = raw_input('Host name:')
    except EOFError:
        break
    test(host, cert)
* Test various host names by running (python test.py mycert.crt)
  Expected results: san[12].example.com pass, cn[012].example.com and anything
  else doesn't.
* Remove the subjectAltName= line from openssl.cnf, generate a new key and
  certificate
* Run (python test.py mycert.crt)
  Expected results: cn[012].example.com pass, nothing else does.

Comment 11 errata-xmlrpc 2008-01-16 14:19:03 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0041.html

Note You need to log in before you can comment on or make changes to this bug.