Bug 363591 - m2crypto in RHEL5 does not support multiple names on the same certificate
m2crypto in RHEL5 does not support multiple names on the same certificate
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: m2crypto (Show other bugs)
5.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Miloslav Trmač
http://bugs.centos.org/view.php?id=2424
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-02 06:30 EDT by Johnny Hughes
Modified: 2013-04-12 15:25 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0041
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-16 09:19:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Johnny Hughes 2007-11-02 06:30:01 EDT
Description of problem:
m2crypto-0.16-6.el5.1 in RHEL5 does not support multiple names on the same
certificate.

This was added in upstream version 0.18:
- support multiple dNSName fields in subjectAltName
- support multiple commonName fields for SSL peer hostname checking

Also see this CentOS bug:
http://bugs.centos.org/view.php?id=2424
Comment 1 Miloslav Trmač 2007-11-05 23:31:00 EST
Thanks for your report.
Comment 6 Miloslav Trmač 2008-01-03 21:30:10 EST
To test:

* mkdir d; cd d; cp /etc/pki/tls/openssl.cnf .
* edit openssl.cnf:
  - in [req_distinguished_name], replace commonName* with
    0.commonName                    = server name 1
    0.commonName_default            = cn0.example.com
    0.commonName_max                = 64
    1.commonName                    = server name 2
    1.commonName_default            = cn1.example.com
    1.commonName_max                = 64
    2.commonName                    = server name 3
    2.commonName_default            = cn2.example.com
    2.commonName_max                = 64
  - add to [v3_ca]:
    subjectAltName = DNS:san1.example.com, DNS:san2.example.com
* openssl genrsa 1024 > mycert.key
* yes '' | \
  openssl req -config ./openssl.cnf -new -key mycert.key -x509 -out mycert.crt 
* create test.py:
import sys

import M2Crypto.SSL.Checker as Checker
import M2Crypto.X509 as X509

def test(host, cert):
    c = Checker.Checker(host)
    try:
        c(cert)
        print 'OK'
    except Checker.SSLVerificationError, e:
        print 'Error: %s' % str(e)

cert = X509.load_cert(sys.argv[1])

while True:
    try:
        host = raw_input('Host name:')
    except EOFError:
        break
    test(host, cert)
* Test various host names by running (python test.py mycert.crt)
  Expected results: san[12].example.com pass, cn[012].example.com and anything
  else doesn't.
* Remove the subjectAltName= line from openssl.cnf, generate a new key and
  certificate
* Run (python test.py mycert.crt)
  Expected results: cn[012].example.com pass, nothing else does.
Comment 11 errata-xmlrpc 2008-01-16 09:19:03 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0041.html

Note You need to log in before you can comment on or make changes to this bug.