openssl 1.1.0 incorrectly verifies certificates with permitted name constraints

Bug #1802125 reported by Richard Hesketh on 2018-11-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Undecided
Unassigned

Bug Description

Seen on 18.04.1 with openssl/libssl 1.1.0g-2ubuntu4.1

As per the issue on the openssl github at https://github.com/openssl/openssl/issues/5521 - 1.1.0 is overzealous about parsing common names as hostnames and this can lead to incorrectly rejecting client certificates from CAs with DNS name constraints. This is reportedly fixed in 1.1.1.

Specifically this is an issue in my case because I run an apache2 server that verifies client certificates on https connections and have discovered that some certificates are being rejected because an intermediate CA has DNS name constraints which are being unexpectedly applied to the CN of client certificates.

madbiologist (me-again) on 2018-11-07
tags: added: bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers