Bug 504060 - m2crypto does not handle subjectAltName having non DNS:xxx entries.
Summary: m2crypto does not handle subjectAltName having non DNS:xxx entries.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: m2crypto
Version: 5.5
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Miloslav Trmač
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks: 5.4, TechnicalNotes
TreeView+ depends on / blocked
 
Reported: 2009-06-04 01:26 UTC by Jim Pirzyk
Modified: 2018-09-14 08:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
the M2Crypto SSL certificate checker incorrectly rejected certificates with a subjectAltName extension that did not contain a host name. M2Crypto now uses the certificate subject field instead of subjectAltName if subjectAltName does not contain a host name.
Clone Of:
Environment:
Last Closed: 2009-09-02 11:19:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
CentOS 3664 0 None None None Never
Red Hat Product Errata RHBA-2009:1351 0 normal SHIPPED_LIVE m2crypto bug fix update 2009-09-01 10:49:36 UTC

Description Jim Pirzyk 2009-06-04 01:26:45 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
0.16-6.el5.3

How reproducible:
All the time

Steps to Reproduce:
1. Get a SSL Certificate from IPSca for a yum repository
2. Setup the yum repository
3. Configure RHEL client to connect to the yum repository
  
Actual results:
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 229, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 104, in main
    result, resultmsgs = base.doCommands()
  File "/usr/share/yum-cli/cli.py", line 339, in doCommands
    self._getTs(needTsRemove)
  File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 101, in _getTs
    self._getTsInfo(remove_only)
  File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 112, in _getTsInfo
    pkgSack = self.pkgSack
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 591, in <lambda>
    pkgSack = property(fget=lambda self: self._getSacks(),
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 434, in _getSacks
    self.repos.populateSack(which=repos)
  File "/usr/lib/python2.4/site-packages/yum/repos.py", line 251, in populateSack
    sack.populate(repo, mdtype, callback, cacheonly)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 159, in populate
    if self._check_db_version(repo, mydbtype):
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 216, in _check_db_version
    return repo._check_db_version(mdtype)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 966, in _check_db_version
    repoXML = self.repoXML
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1124, in <lambda>
    repoXML = property(fget=lambda self: self._getRepoXML(),
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1116, in _getRepoXML
    self._loadRepoXML(text=self)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1106, in _loadRepoXML
    return self._groupLoadRepoXML(text, ["primary"])
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1090, in _groupLoadRepoXML
    if self._commonLoadRepoXML(text):
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 941, in _commonLoadRepoXML
    result = self._getFileRepoXML(local, text)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 812, in _getFileRepoXML
    cache=self.http_caching == 'all')
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 687, in _getFile
    http_headers=headers,
  File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 412, in urlgrab
    return self._mirror_try(func, url, kw)
  File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 398, in _mirror_try
    return func_ref( *(fullurl,), **kwargs )
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 934, in urlgrab
    return self._retry(opts, retryfunc, url, filename)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 852, in _retry
    r = apply(func, (opts,) + args, {})
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 920, in retryfunc
    fo = URLGrabberFileObject(url, filename, opts)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1008, in __init__
    self._do_open()
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1091, in _do_open
    fo, hdr = self._make_request(req, opener)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1200, in _make_request
    fo = opener.open(req)
  File "/usr/lib/python2.4/urllib2.py", line 358, in open
    response = self._open(req, data)
  File "/usr/lib/python2.4/urllib2.py", line 376, in _open
    '_open', req)
  File "/usr/lib/python2.4/urllib2.py", line 337, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.4/site-packages/M2Crypto/m2urllib2.py", line 66, in https_open
    h.request(req.get_method(), req.get_full_url(), req.data, headers)
  File "/usr/lib/python2.4/httplib.py", line 810, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.4/httplib.py", line 833, in _send_request
    self.endheaders()
  File "/usr/lib/python2.4/httplib.py", line 804, in endheaders
    self._send_output()
  File "/usr/lib/python2.4/httplib.py", line 685, in _send_output
    self.send(msg)
  File "/usr/lib/python2.4/httplib.py", line 652, in send
    self.connect()
  File "/usr/lib/python2.4/site-packages/M2Crypto/httpslib.py", line 47, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 159, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 86, in __call__
    fieldName='subjectAltName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match host, expected repo.tusk.tufts.edu, got email:tuskdev.edu

Expected results:
Successfully connecting to the yum repository

Additional info:

According to the m2crypto comments in the code, it should only check against the subjectAltName if the entry starts with DNS:, but it does not look like the python code checks for it.

            # subjectAltName=DNS:somehost[, ...]*
            try:
                subjectAltName = peerCert.get_ext('subjectAltName').get_value()
                if not self._splitSubjectAltName(self.host, subjectAltName):
                    raise WrongHost(expectedHost=self.host, 
                                    actualHost=subjectAltName,
                                    fieldName='subjectAltName')
                hostValidationPassed = True



Here is the SSL certificate information:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 64562 (0xfc32)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=Barcelona, L=Barcelona, O=IPS Certification Authority s.l., O=general C.I.F.  B-B62210695, OU=ipsCA CLASEA1 Certification Authority, CN=ipsCA CLASEA1 Certification Authority/emailAddress=general
        Validity
            Not Before: May 14 15:55:30 2009 GMT
            Not After : May 14 15:55:30 2011 GMT
        Subject: C=US, ST=Massachusetts, L=Boston, O=Tufts University, OU=TUSK, CN=repo.tusk.tufts.edu/emailAddress=tuskdev.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:9e:00:5d:c0:f8:e6:5b:cb:e3:ba:a6:f0:5f:4c:
                    3b:bd:5c:49:dc:92:2f:47:ef:bf:d9:aa:8b:ac:87:
                    77:cd:1a:74:7a:2f:da:a3:6e:ae:53:9c:54:e8:2b:
                    25:ef:1c:c5:96:5c:24:6a:3f:07:a7:c9:ef:c8:1c:
                    d3:c8:e3:b5:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                BF:0E:C2:87:9F:5D:F3:CE:3C:FA:9D:3F:2A:F4:AA:3E:1A:67:32:A1
            X509v3 Authority Key Identifier: 
                keyid:0E:07:60:D4:39:C9:1B:5B:5D:90:7B:23:C8:D2:34:9D:4A:9A:46:39

            X509v3 Subject Alternative Name: 
                email:tuskdev.edu
            X509v3 Issuer Alternative Name: 
                email:general
            Netscape Comment: 
                Organization Information NOT VALIDATED. CLASEA1 Server Certificate issued by https://www.ipsca.com/
            Netscape Base Url: 
                https://www.ipsca.com/ipsca2002/
            Netscape CA Revocation Url: 
                https://www.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl
            Netscape Revocation Url: 
                https://www.ipsca.com/ipsca2002/revocationCLASEA1.html?
            Netscape Renewal Url: 
                https://www.ipsca.com/ipsca2002/renewalCLASEA1.html?
            Netscape CA Policy Url: 
                https://www.ipsca.com/ipsca2002/policyCLASEA1.html
            X509v3 CRL Distribution Points: 
                URI:http://www.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl
                URI:http://wwwback.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.ipsca.com/

    Signature Algorithm: sha1WithRSAEncryption
        3d:0a:7d:b5:31:64:2b:17:a8:d6:a3:df:ea:8d:1b:ab:b3:06:
        c3:c2:9c:f9:ab:d1:3c:a9:ec:60:c8:2d:f4:e7:50:26:4d:f0:
        5b:34:96:d2:d3:98:34:46:71:fe:3a:fd:c5:e6:c6:00:86:e8:
        2d:46:73:28:51:c0:60:64:f9:56:d0:44:11:d1:87:82:76:fd:
        63:89:9d:32:ce:32:75:30:c2:fb:61:3f:62:45:cb:95:65:c7:
        21:e2:63:4b:7e:89:ca:b7:96:0f:30:8b:17:af:cb:97:84:45:
        a7:c7:b4:00:81:83:59:a6:32:7e:9b:b2:e6:1a:4e:20:0b:4e:
        af:b8
-----BEGIN CERTIFICATE-----
MIIGKzCCBZSgAwIBAgIDAPwyMA0GCSqGSIb3DQEBBQUAMIIBEjELMAkGA1UEBhMC
RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMSkwJwYD
VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLjEuMCwGA1UEChQl
Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NTEuMCwGA1UECxMl
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMl
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqGSIb3
DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwNTE0MTU1NTMwWhcNMTEwNTE0
MTU1NTMwWjCBpjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMx
DzANBgNVBAcTBkJvc3RvbjEZMBcGA1UEChMQVHVmdHMgVW5pdmVyc2l0eTENMAsG
A1UECxMEVFVTSzEcMBoGA1UEAxMTcmVwby50dXNrLnR1ZnRzLmVkdTEmMCQGCSqG
SIb3DQEJARYXdHVza2RldkBlbGlzdC50dWZ0cy5lZHUwXDANBgkqhkiG9w0BAQEF
AANLADBIAkEAngBdwPjmW8vjuqbwX0w7vVxJ3JIvR++/2aqLrId3zRp0ei/ao26u
U5xU6Csl7xzFllwkaj8Hp8nvyBzTyOO1kwIDAQABo4IDOjCCAzYwCQYDVR0TBAIw
ADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgP4MBMGA1UdJQQMMAoGCCsG
AQUFBwMBMB0GA1UdDgQWBBS/DsKHn13zzjz6nT8q9Ko+GmcyoTAfBgNVHSMEGDAW
gBQOB2DUOckbW12QeyPI0jSdSppGOTAiBgNVHREEGzAZgRd0dXNrZGV2QGVsaXN0
LnR1ZnRzLmVkdTAcBgNVHRIEFTATgRFnZW5lcmFsQGlwc2NhLmNvbTByBglghkgB
hvhCAQ0EZRZjT3JnYW5pemF0aW9uIEluZm9ybWF0aW9uIE5PVCBWQUxJREFURUQu
IENMQVNFQTEgU2VydmVyIENlcnRpZmljYXRlIGlzc3VlZCBieSBodHRwczovL3d3
dy5pcHNjYS5jb20vMC8GCWCGSAGG+EIBAgQiFiBodHRwczovL3d3dy5pcHNjYS5j
b20vaXBzY2EyMDAyLzBDBglghkgBhvhCAQQENhY0aHR0cHM6Ly93d3cuaXBzY2Eu
Y29tL2lwc2NhMjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDBGBglghkgBhvhCAQME
ORY3aHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi9yZXZvY2F0aW9uQ0xB
U0VBMS5odG1sPzBDBglghkgBhvhCAQcENhY0aHR0cHM6Ly93d3cuaXBzY2EuY29t
L2lwc2NhMjAwMi9yZW5ld2FsQ0xBU0VBMS5odG1sPzBBBglghkgBhvhCAQgENBYy
aHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi9wb2xpY3lDTEFTRUExLmh0
bWwwgYMGA1UdHwR8MHowOaA3oDWGM2h0dHA6Ly93d3cuaXBzY2EuY29tL2lwc2Nh
MjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDA9oDugOYY3aHR0cDovL3d3d2JhY2su
aXBzY2EuY29tL2lwc2NhMjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDAyBggrBgEF
BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmlwc2NhLmNvbS8wDQYJ
KoZIhvcNAQEFBQADgYEAPQp9tTFkKxeo1qPf6o0bq7MGw8Kc+avRPKnsYMgt9OdQ
Jk3wWzSW0tOYNEZx/jr9xebGAIboLUZzKFHAYGT5VtBEEdGHgnb9Y4mdMs4ydTDC
+2E/YkXLlWXHIeJjS36JyreWDzCLF6/Ll4RFp8e0AIGDWaYyfpuy5hpOIAtOr7g=
-----END CERTIFICATE-----
Comment 1 Miloslav Trmač 2009-06-08 18:13:00 UTC 
Thanks for your report.

If you are a RHEL customer and have an active support entitlement, please
contact official Red Hat Support at https://www.redhat.com/apps/support/ to
allow correct prioritization of this issue.

(Related upstream report: https://bugzilla.osafoundation.org/show_bug.cgi?id=9605 )
Comment 7 Ruediger Landmann 2009-08-14 01:37:00 UTC 
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
the M2Crypto SSL certificate checker incorrectly rejected
certificates with a subjectAltName extension that did not contain a host
name. M2Crypto now uses the certificate subject field instead of
subjectAltName if subjectAltName does not contain a host name.
Comment 8 errata-xmlrpc 2009-09-02 11:19:52 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1351.html
Comment 9 Jim Pirzyk 2009-09-06 19:46:43 UTC 
The package does not solve the problem.

rpm -q m2crypto
m2crypto-0.16-6.el5.3

yum check-update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * epel: mirror.ipnode.info
 * rpmforge: fr2.rpmfind.net
 * base: updates.interworx.info
 * updates: mirror.skiplink.com
 * addons: mirror.sanctuaryhost.com
 * extras: mirror.anl.gov
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 229, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 104, in main
    result, resultmsgs = base.doCommands()
  File "/usr/share/yum-cli/cli.py", line 339, in doCommands
    self._getTs(needTsRemove)
  File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 101, in _getTs
    self._getTsInfo(remove_only)
  File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 112, in _getTsInfo
    pkgSack = self.pkgSack
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 592, in <lambda>
    pkgSack = property(fget=lambda self: self._getSacks(),
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 435, in _getSacks
    self.repos.populateSack(which=repos)
  File "/usr/lib/python2.4/site-packages/yum/repos.py", line 251, in populateSack
    sack.populate(repo, mdtype, callback, cacheonly)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 160, in populate
    if self._check_db_version(repo, mydbtype):
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 217, in _check_db_version
    return repo._check_db_version(mdtype)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1119, in _check_db_version
    repoXML = self.repoXML
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1277, in <lambda>
    repoXML = property(fget=lambda self: self._getRepoXML(),
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1269, in _getRepoXML
    self._loadRepoXML(text=self)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1259, in _loadRepoXML
    return self._groupLoadRepoXML(text, ["primary"])
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1243, in _groupLoadRepoXML
    if self._commonLoadRepoXML(text):
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1094, in _commonLoadRepoXML
    result = self._getFileRepoXML(local, text)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 887, in _getFileRepoXML
    cache=self.http_caching == 'all')
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 744, in _getFile
    http_headers=headers,
  File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 412, in urlgrab
    return self._mirror_try(func, url, kw)
  File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 398, in _mirror_try
    return func_ref( *(fullurl,), **kwargs )
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 934, in urlgrab
    return self._retry(opts, retryfunc, url, filename)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 852, in _retry
    r = apply(func, (opts,) + args, {})
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 920, in retryfunc
    fo = URLGrabberFileObject(url, filename, opts)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1008, in __init__
    self._do_open()
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1091, in _do_open
    fo, hdr = self._make_request(req, opener)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1200, in _make_request
    fo = opener.open(req)
  File "/usr/lib64/python2.4/urllib2.py", line 358, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.4/urllib2.py", line 376, in _open
    '_open', req)
  File "/usr/lib64/python2.4/urllib2.py", line 337, in _call_chain
    result = func(*args)
  File "/usr/lib64/python2.4/site-packages/M2Crypto/m2urllib2.py", line 66, in https_open
    h.request(req.get_method(), req.get_full_url(), req.data, headers)
  File "/usr/lib64/python2.4/httplib.py", line 810, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.4/httplib.py", line 833, in _send_request
    self.endheaders()
  File "/usr/lib64/python2.4/httplib.py", line 804, in endheaders
    self._send_output()
  File "/usr/lib64/python2.4/httplib.py", line 685, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.4/httplib.py", line 652, in send
    self.connect()
  File "/usr/lib64/python2.4/site-packages/M2Crypto/httpslib.py", line 47, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 159, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 86, in __call__
    fieldName='subjectAltName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match host, expected repo.tusk.tufts.edu, got email:tuskdev.edu
Comment 10 Miloslav Trmač 2009-09-07 08:09:55 UTC 
The erratum contains m2crypto-0.16-6.el5.6, not ... el5.3.  Can you retest with ...el5.6, please?
Comment 11 Jim Pirzyk 2009-09-07 14:57:56 UTC 
Sorry about that, user error.  Mistook the -6 for being the el5.6.  Pinged CentOS to push this package out.
Note You need to log in before you can comment on or make changes to this bug.