Your message dated Mon, 28 Dec 2020 13:02:05 +0100
with message-id <3c431f4d-e621-01f7-04b3-8b31bc81d...@sfritsch.de>
and subject line Re: Bug#904684: ssl-cert: HostName length check is too small
has caused the Debian Bug report #904684,
regarding ssl-cert: HostName length check is too small
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
904684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904684
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ssl-cert
Version: 1.0.39
Severity: normal
In the make_snakeoil() funtion, the code gets the FQDN of the system
via a call to 'hostname -f'. Then it checks if this the FQDN is longer
than 64 characters, and if it is, uses the short hostname.
However, a FQDN can be up to 255 octets per RFC 1035, Section 2.3.4:
2.3.4. Size limits
Various objects and parameters in the DNS have size limits. They are
listed below. Some could be easily changed, others are more
fundamental.
labels 63 octets or less
names 255 octets or less
TTL positive values of a signed 32 bit number.
https://tools.ietf.org/html/rfc1035
https://stackoverflow.com/questions/32290167/
The 64 octet limit is for each sub-component:
part1.partb.foo.example.com
So the each of "part1", "foo", etc, must less than 64, and the entire
FQDN string must be less than 255.
But that is not what the script is checking: it is seeing if the
entire FQDN string is less than 64--which is about four times too short.
-- System Information:
Debian Release: 9.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-7-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ssl-cert depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.61
ii openssl 1.1.0f-3+deb9u2
ssl-cert recommends no packages.
Versions of packages ssl-cert suggests:
pn openssl-blacklist <none>
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Hi,
sorry for the late response.
Am 26.07.18 um 17:47 schrieb David Magda:
Package: ssl-cert
Version: 1.0.39
Severity: normal
In the make_snakeoil() funtion, the code gets the FQDN of the system
via a call to 'hostname -f'. Then it checks if this the FQDN is longer
than 64 characters, and if it is, uses the short hostname.
However, a FQDN can be up to 255 octets per RFC 1035, Section 2.3.4:
But that is not what the script is checking: it is seeing if the
entire FQDN string is less than 64--which is about four times too short.
It's not the DNS name limit that is enforced here but the length limit
of the "common name" attribute of a X509 certificate. The full name is
still put into the SubjectAltName attribute, which has no such length
limit. I think the current behavior is correct here. I will put a
comment in the script to make it clearer.
Therefore I am closing the report.
Cheers,
Stefan
--- End Message ---