On Thursday, 9 May 2019 13:43:36 CEST Andrei Susnea wrote:
> Hi,
>
> Using openssl 1.0.2h I'm getting SSL_ERROR_SYSCALL while trying to
> authenticate a certificate with the following SAN names configuration:
>
> X509v3 Subject Alternative Name:
>
> DNS:xxxx.xxxxxx.xxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxx.xxxxxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxx.xxx.xxxxxxxxxxx.com
>
>
> With the previous config, it worked:
>
> X509v3 Subject Alternative Name:
> DNS:xxxxxxxxxxx-xxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com
>
>
> I tried upgrading to 1.0.2r with the same result.
>
> Does anyone know if it's a name length issue with this version?
> I read you can have as many as 150 names x 25 characters < 4k.
where did you get those limits?
the certificate has expired, but
https://1000-sans.badssl.com/ does verify
otherwise with both 1.1.0i from Fedora and 1.0.2k from RHEL7:
$ faketime 'last year' openssl s_client -connect 1000-sans.badssl.com:443 -
servername 1000-sans.badssl.com -verify_hostname 1000-sans.badssl.com
...
Verify return code: 0 (ok)
https://
longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com
works fine too
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic