We are observing the following error:
[r...@rhel6-64-build]# openssl verify -CAfile /usr/share/rhn/VonServerCA.crt
rh-satellite.kewr1.s.vonagenetworks.net.pem
rh-satellite.kewr1.s.vonagenetworks.net.pem: C = US, O = Vonage Holdings, OU
= Vonage Networks, CN = rh-satellite-01.kewr0.s.vonagenetworks.net
error 47 at 0 depth lookup:permitted subtree violation
when using openssl 1.0.0 and 1.0.0b but not with 0.9.7a and 0.9.8e. The
certificate in VonServerCA.crt has:
X509v3 Name Constraints:
Permitted:
DirName: C = US, O = Vonage Holdings
DNS:.vonage.net
URI:https://.vonage.net
email:.vonage.net
DNS:.vonage.com
URI:https://.vonage.com
email:.vonage.com
DNS:.vonagenetworks.net
URI:https://.vonagenetworks.net
email:.vonagenetworks.net
and the dns hostname being tested has a suffix of .vonagenetworks.net
>From reading rfc2459 section 4.2.1.11 I believe that the code in nc_dns() is
wrongly looking for a preceeding '.' instead of a leading '.'. Enclosed is
a small patch, done with the 1.0.0b base, to correct this which fixes my
issue. Please include in it in the next release or let me know what is
wrong with my thinking.
Thanks.
Roy
--
Roy Marantz | Systems Architect
Vonage | 23 Main St | Holmdel, NJ / 07733
t: 732-444-2419 | c: 732-737-5944
--- crypto/x509v3/v3_ncons.c.ORIG Mon Oct 11 23:24:51 2010
+++ crypto/x509v3/v3_ncons.c Thu Jan 6 14:20:32 2011
@@ -395,13 +395,13 @@
if (!*baseptr)
return X509_V_OK;
/* Otherwise can add zero or more components on the left so
- * compare RHS and if dns is longer and expect '.' as preceding
- * character.
+ * compare RHS and if dns is longer and expect '.' as leading
+ * character. See RFC2459 Section 4.2.1.11 for details
*/
if (dns->length > base->length)
{
dnsptr += dns->length - base->length;
- if (dnsptr[-1] != '.')
+ if (dnsptr[0] != '.')
return X509_V_ERR_PERMITTED_VIOLATION;
}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
