Bug 363591 - m2crypto in RHEL5 does not support multiple names on the same certificate
m2crypto in RHEL5 does not support multiple names on the same certificate
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: m2crypto (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Miloslav Trmač
Depends On:
  Show dependency treegraph
Reported: 2007-11-02 06:30 EDT by Johnny Hughes
Modified: 2013-04-12 15:25 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0041
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-16 09:19:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Johnny Hughes 2007-11-02 06:30:01 EDT
Description of problem:
m2crypto-0.16-6.el5.1 in RHEL5 does not support multiple names on the same

This was added in upstream version 0.18:
- support multiple dNSName fields in subjectAltName
- support multiple commonName fields for SSL peer hostname checking

Also see this CentOS bug:
Comment 1 Miloslav Trmač 2007-11-05 23:31:00 EST
Thanks for your report.
Comment 6 Miloslav Trmač 2008-01-03 21:30:10 EST
To test:

* mkdir d; cd d; cp /etc/pki/tls/openssl.cnf .
* edit openssl.cnf:
  - in [req_distinguished_name], replace commonName* with
    0.commonName                    = server name 1
    0.commonName_default            = cn0.example.com
    0.commonName_max                = 64
    1.commonName                    = server name 2
    1.commonName_default            = cn1.example.com
    1.commonName_max                = 64
    2.commonName                    = server name 3
    2.commonName_default            = cn2.example.com
    2.commonName_max                = 64
  - add to [v3_ca]:
    subjectAltName = DNS:san1.example.com, DNS:san2.example.com
* openssl genrsa 1024 > mycert.key
* yes '' | \
  openssl req -config ./openssl.cnf -new -key mycert.key -x509 -out mycert.crt 
* create test.py:
import sys

import M2Crypto.SSL.Checker as Checker
import M2Crypto.X509 as X509

def test(host, cert):
    c = Checker.Checker(host)
        print 'OK'
    except Checker.SSLVerificationError, e:
        print 'Error: %s' % str(e)

cert = X509.load_cert(sys.argv[1])

while True:
        host = raw_input('Host name:')
    except EOFError:
    test(host, cert)
* Test various host names by running (python test.py mycert.crt)
  Expected results: san[12].example.com pass, cn[012].example.com and anything
  else doesn't.
* Remove the subjectAltName= line from openssl.cnf, generate a new key and
* Run (python test.py mycert.crt)
  Expected results: cn[012].example.com pass, nothing else does.
Comment 11 errata-xmlrpc 2008-01-16 09:19:03 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.