[Bug 1802125] Re: openssl 1.1.0 incorrectly verifies certificates with permitted name constraints
madbiologist
1802125 at bugs.launchpad.net
Wed Nov 7 15:49:51 UTC 2018
** Tags added: bionic
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1802125
Title:
openssl 1.1.0 incorrectly verifies certificates with permitted name
constraints
Status in openssl package in Ubuntu:
New
Bug description:
Seen on 18.04.1 with openssl/libssl 1.1.0g-2ubuntu4.1
As per the issue on the openssl github at
https://github.com/openssl/openssl/issues/5521 - 1.1.0 is overzealous
about parsing common names as hostnames and this can lead to
incorrectly rejecting client certificates from CAs with DNS name
constraints. This is reportedly fixed in 1.1.1.
Specifically this is an issue in my case because I run an apache2
server that verifies client certificates on https connections and have
discovered that some certificates are being rejected because an
intermediate CA has DNS name constraints which are being unexpectedly
applied to the CN of client certificates.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1802125/+subscriptions
More information about the foundations-bugs
mailing list