Using SSL certificate with empty CN field
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
octavia |
Fix Released
|
Medium
|
Michael Johnson |
Bug Description
I try to create the listener with HTTPs Terminated protocol and want to use SSL certificate with empty CN field.
I generate ssl in the following way:
```
openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr
openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out cert.pem
```
And I get error like: Unreadable Certificate.
due to IndexError on the line:
https:/
It happens, because this code tries to get CN from certificate and gets empty list.
I did not find any note in haproxy docs, that SSL certificate without CN is not allowed.
The same in octavia validation or code. So it looks like octavia could process cn = None in the code.
Is it possible obtain CN optionally and if it's missed set to None?
If it's not allowed, let's handle it in the more user-friendly way with clear error message instead of traceback due with IndexError.
description: | updated |
description: | updated |
Changed in octavia: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in octavia: | |
assignee: | nobody → Michael Johnson (johnsom) |
Here are a couple of initial comments:
1. Octavia is not just an implementation of HAProxy, so any restrictions or behaviors of HAProxy do not apply to the Octavia API necessarily.
2. We strive to be a standards based project, so the correct behavior should track back to standards documentation. In this case we are talking about the x.509 (ISO/IEC 9594-8:2020) ITU-T recommendation[1].
The subject field (CN is a subset option of subject) is described on page 16. I will excerpt the important two sentences here:
| If the public-key certificate is an end-entity public-key certificate (see clause 7.4), then the
| distinguished name may be an empty sequence providing that the subjectAltName extension is present and
| is flagged as critical (see clause 9.3.2.1). Otherwise, it shall be a non-empty distinguished name.
So the above openssl commands would in fact generate an invalid certificate assuming there is no openssl configuration file present that would meet the above requirements.
All of that said, I also think the get_host_names() code[2] is incorrect. It is valid for the subject field to be empty if the subject alternate name extension is present and mandatory.
So, there is a bug here, it's just a bit more complicated than the test case provided.
[1] https:/ /www.itu. int/rec/ dologin_ pub.asp? lang=e& id=T-REC- X.509-201910- I!!PDF- E&type= items /github. com/openstack/ octavia/ blob/master/ octavia/ common/ tls_utils/ cert_parser. py#L247
[2] https:/