Re: X509v3 SAN names length question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday, 9 May 2019 13:43:36 CEST Andrei Susnea wrote:
> Hi,
> 
> Using openssl 1.0.2h I'm getting SSL_ERROR_SYSCALL while trying to
> authenticate a certificate with the following SAN names configuration:
> 
> X509v3 Subject Alternative Name:
> 
>                 DNS:xxxx.xxxxxx.xxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxx.xxxxxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxx.xxx.xxxxxxxxxxx.com
> 
> 
> With the previous config, it worked:
> 
> X509v3 Subject Alternative Name:
>                 DNS:xxxxxxxxxxx-xxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com
> 
> 
> I tried upgrading to 1.0.2r with the same result.
> 
> Does anyone know if it's a name length issue with this version?
> I read you can have as many as 150 names x 25 characters < 4k.

where did you get those limits?

the certificate has expired, but https://1000-sans.badssl.com/ does verify 
otherwise with both 1.1.0i from Fedora and 1.0.2k from RHEL7:

$ faketime 'last year' openssl s_client -connect 1000-sans.badssl.com:443 -
servername 1000-sans.badssl.com -verify_hostname 1000-sans.badssl.com
...
    Verify return code: 0 (ok)

https://
longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com 
works fine too

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux