I'm now see that you are correct. I did misread that part of the RFC. Sorry about bothering you with this. Thanks. Roy
On 1/6/11 2:28 PM, "Richard Levitte via RT" <[email protected]> wrote: > I'm afraid you interpretation of RFC2459, section 4.2.1.11 is a bit flawed. > The > following sentence defines how DNS restrictions apply: > > "DNS name restrictions are expressed as foo.bar.com. Any subdomain satisfies > the name > constraint. For example, www.foo.bar.com would satisfy the constraint but > bigfoo.bar.com would not." > > Not that there's no leading period there. The restriction in VonServerCA.crt > should > therefore be like this: > > X509v3 Name Constraints: > Permitted: > DirName: C = US, O = Vonage Holdings > DNS:vonage.net > URI:https://.vonage.net > email:.vonage.net > DNS:vonage.com > URI:https://.vonage.com > email:.vonage.com > DNS:vonagenetworks.net > URI:https://.vonagenetworks.net > email:.vonagenetworks.net > > Cheers, > Richard > >> [[email protected] - Thu Jan 06 18:31:09 2011]: >> >> We are observing the following error: >> >> [r...@rhel6-64-build]# openssl verify -CAfile >> /usr/share/rhn/VonServerCA.crt >> rh-satellite.kewr1.s.vonagenetworks.net.pem >> rh-satellite.kewr1.s.vonagenetworks.net.pem: C = US, O = Vonage >> Holdings, OU >> = Vonage Networks, CN = rh-satellite-01.kewr0.s.vonagenetworks.net >> error 47 at 0 depth lookup:permitted subtree violation >> >> when using openssl 1.0.0 and 1.0.0b but not with 0.9.7a and 0.9.8e. >> The >> certificate in VonServerCA.crt has: >> >> X509v3 Name Constraints: >> Permitted: >> DirName: C = US, O = Vonage Holdings >> DNS:.vonage.net >> URI:https://.vonage.net >> email:.vonage.net >> DNS:.vonage.com >> URI:https://.vonage.com >> email:.vonage.com >> DNS:.vonagenetworks.net >> URI:https://.vonagenetworks.net >> email:.vonagenetworks.net >> >> and the dns hostname being tested has a suffix of .vonagenetworks.net >> >>> From reading rfc2459 section 4.2.1.11 I believe that the code in >> nc_dns() is >> wrongly looking for a preceeding '.' instead of a leading '.'. >> Enclosed is >> a small patch, done with the 1.0.0b base, to correct this which fixes >> my >> issue. Please include in it in the next release or let me know what >> is >> wrong with my thinking. >> Thanks. >> Roy >> >> ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
