On Thursday, 9 May 2019 13:43:36 CEST Andrei Susnea wrote: > Hi, > > Using openssl 1.0.2h I'm getting SSL_ERROR_SYSCALL while trying to > authenticate a certificate with the following SAN names configuration: > > X509v3 Subject Alternative Name: > > DNS:xxxx.xxxxxx.xxx.xxx.xxxxxxxxxxx.com, > DNS:xxxx.xxxxxx.xxxx.xxx.xxxxxxxxxxx.com, > DNS:xxxxxxxxxxx-xxxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com, > DNS:xxxxxxxxxxx-xxxxx.xxx.xxx.xxx.xxxxxxxxxxx.com, > DNS:xxxxxxxxxxx-xxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com, > DNS:xxxxxxxxxxx-xxxx.xxx.xxx.xxx.xxxxxxxxxxx.com > > > With the previous config, it worked: > > X509v3 Subject Alternative Name: > DNS:xxxxxxxxxxx-xxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com, > DNS:xxxxxxxxxxx-xxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com, > DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com, > DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com > > > I tried upgrading to 1.0.2r with the same result. > > Does anyone know if it's a name length issue with this version? > I read you can have as many as 150 names x 25 characters < 4k. where did you get those limits? the certificate has expired, but https://1000-sans.badssl.com/ does verify otherwise with both 1.1.0i from Fedora and 1.0.2k from RHEL7: $ faketime 'last year' openssl s_client -connect 1000-sans.badssl.com:443 - servername 1000-sans.badssl.com -verify_hostname 1000-sans.badssl.com ... Verify return code: 0 (ok) https:// longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com works fine too -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.