Ubuntu
openssl package

openssl 1.1.0 incorrectly verifies certificates with permitted name constraints

Bug #1802125 reported by Richard Hesketh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Seen on 18.04.1 with openssl/libssl 1.1.0g-2ubuntu4.1

As per the issue on the openssl github at https://github.com/openssl/openssl/issues/5521 - 1.1.0 is overzealous about parsing common names as hostnames and this can lead to incorrectly rejecting client certificates from CAs with DNS name constraints. This is reportedly fixed in 1.1.1.

Specifically this is an issue in my case because I run an apache2 server that verifies client certificates on https connections and have discovered that some certificates are being rejected because an intermediate CA has DNS name constraints which are being unexpectedly applied to the CN of client certificates.

Tags: bionic
madbiologist (me-again)
tags: added: bionic
Revision history for this message
Adrien Nader (adrien) wrote :

Since the versions currently in Ubuntu contain this fix, I'm going to mark this bug as Fix Released.

Changed in openssl (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.