[Bug 1802125] Re: openssl 1.1.0 incorrectly verifies certificates with permitted name constraints
Adrien Nader
1802125 at bugs.launchpad.net
Mon May 15 07:32:17 UTC 2023
Since the versions currently in Ubuntu contain this fix, I'm going to
mark this bug as Fix Released.
** Changed in: openssl (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1802125
Title:
openssl 1.1.0 incorrectly verifies certificates with permitted name
constraints
Status in openssl package in Ubuntu:
Fix Released
Bug description:
Seen on 18.04.1 with openssl/libssl 1.1.0g-2ubuntu4.1
As per the issue on the openssl github at
https://github.com/openssl/openssl/issues/5521 - 1.1.0 is overzealous
about parsing common names as hostnames and this can lead to
incorrectly rejecting client certificates from CAs with DNS name
constraints. This is reportedly fixed in 1.1.1.
Specifically this is an issue in my case because I run an apache2
server that verifies client certificates on https connections and have
discovered that some certificates are being rejected because an
intermediate CA has DNS name constraints which are being unexpectedly
applied to the CN of client certificates.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1802125/+subscriptions
More information about the foundations-bugs
mailing list