X509v3 SAN names length question

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

X509v3 SAN names length question

Andrei Susnea
Hi, 

Using openssl 1.0.2h I'm getting SSL_ERROR_SYSCALL while trying to authenticate a certificate with the following SAN names configuration:

X509v3 Subject Alternative Name:
                DNS:xxxx.xxxxxx.xxx.xxx.xxxxxxxxxxx.com,
DNS:xxxx.xxxxxx.xxxx.xxx.xxxxxxxxxxx.com,
DNS:xxxxxxxxxxx-xxxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
DNS:xxxxxxxxxxx-xxxxx.xxx.xxx.xxx.xxxxxxxxxxx.com,
DNS:xxxxxxxxxxx-xxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
DNS:xxxxxxxxxxx-xxxx.xxx.xxx.xxx.xxxxxxxxxxx.com

With the previous config, it worked:
X509v3 Subject Alternative Name:
                DNS:xxxxxxxxxxx-xxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com,
DNS:xxxxxxxxxxx-xxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com

I tried upgrading to 1.0.2r with the same result. 
Does anyone know if it's a name length issue with this version?
I read you can have as many as 150 names x 25 characters < 4k.
Or if updating to 1.1.1b would fix this issue? 

Thanks, 
Andrei
Reply | Threaded
Open this post in threaded view
|

Re: X509v3 SAN names length question

Hubert Kario
On Thursday, 9 May 2019 13:43:36 CEST Andrei Susnea wrote:

> Hi,
>
> Using openssl 1.0.2h I'm getting SSL_ERROR_SYSCALL while trying to
> authenticate a certificate with the following SAN names configuration:
>
> X509v3 Subject Alternative Name:
>
>                 DNS:xxxx.xxxxxx.xxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxx.xxxxxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxx.xxx.xxxxxxxxxxx.com
>
>
> With the previous config, it worked:
>
> X509v3 Subject Alternative Name:
>                 DNS:xxxxxxxxxxx-xxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com
>
>
> I tried upgrading to 1.0.2r with the same result.
>
> Does anyone know if it's a name length issue with this version?
> I read you can have as many as 150 names x 25 characters < 4k.
where did you get those limits?

the certificate has expired, but https://1000-sans.badssl.com/ does verify
otherwise with both 1.1.0i from Fedora and 1.0.2k from RHEL7:

$ faketime 'last year' openssl s_client -connect 1000-sans.badssl.com:443 -
servername 1000-sans.badssl.com -verify_hostname 1000-sans.badssl.com
...
    Verify return code: 0 (ok)

https://
longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com
works fine too

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: X509v3 SAN names length question

Viktor Dukhovni
In reply to this post by Andrei Susnea
On Thu, May 09, 2019 at 02:43:36PM +0300, Andrei Susnea wrote:

> Using openssl 1.0.2h I'm getting SSL_ERROR_SYSCALL while trying to
> authenticate a certificate with the following SAN names configuration:

The details of the certificate content are irrelevant.  Something
else changed.

You should be looking at the correctness of your appliction code,
and PCAP captures of the traffic to detect any network-layer issues.

--
        Viktor.