0003664: m2crypto does not handle subjectAltName having non DNS:xxx entries - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0003664	CentOS-5	m2crypto	public	2009-06-04 01:35	2009-10-17 22:40

Reporter	pirzyk
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	5.3
Target Version		Fixed in Version	5.4

Summary	0003664: m2crypto does not handle subjectAltName having non DNS:xxx entries
Description	Version-Release number of selected component (if applicable): 0.16-6.el5.3 How reproducible: All the time Steps to Reproduce: 1. Get a SSL Certificate from IPSca for a yum repository 2. Setup the yum repository 3. Configure RHEL client to connect to the yum repository Actual results: Traceback (most recent call last): File "/usr/bin/yum", line 29, in ? yummain.user_main(sys.argv[1:], exit_code=True) File "/usr/share/yum-cli/yummain.py", line 229, in user_main errcode = main(args) File "/usr/share/yum-cli/yummain.py", line 104, in main result, resultmsgs = base.doCommands() File "/usr/share/yum-cli/cli.py", line 339, in doCommands self._getTs(needTsRemove) File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 101, in _getTs self._getTsInfo(remove_only) File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 112, in _getTsInfo pkgSack = self.pkgSack File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 591, in <lambda> pkgSack = property(fget=lambda self: self._getSacks(), File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 434, in _getSacks self.repos.populateSack(which=repos) File "/usr/lib/python2.4/site-packages/yum/repos.py", line 251, in populateSack sack.populate(repo, mdtype, callback, cacheonly) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 159, in populate if self._check_db_version(repo, mydbtype): File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 216, in _check_db_version return repo._check_db_version(mdtype) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 966, in _check_db_version repoXML = self.repoXML File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1124, in <lambda> repoXML = property(fget=lambda self: self._getRepoXML(), File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1116, in _getRepoXML self._loadRepoXML(text=self) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1106, in _loadRepoXML return self._groupLoadRepoXML(text, ["primary"]) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1090, in _groupLoadRepoXML if self._commonLoadRepoXML(text): File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 941, in _commonLoadRepoXML result = self._getFileRepoXML(local, text) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 812, in _getFileRepoXML cache=self.http_caching == 'all') File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 687, in _getFile http_headers=headers, File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 412, in urlgrab return self._mirror_try(func, url, kw) File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 398, in _mirror_try return func_ref( (fullurl,), kwargs ) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 934, in urlgrab return self._retry(opts, retryfunc, url, filename) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 852, in _retry r = apply(func, (opts,) + args, {}) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 920, in retryfunc fo = URLGrabberFileObject(url, filename, opts) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1008, in __init__ self._do_open() File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1091, in _do_open fo, hdr = self._make_request(req, opener) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1200, in _make_request fo = opener.open(req) File "/usr/lib/python2.4/urllib2.py", line 358, in open response = self._open(req, data) File "/usr/lib/python2.4/urllib2.py", line 376, in _open '_open', req) File "/usr/lib/python2.4/urllib2.py", line 337, in _call_chain result = func(args) File "/usr/lib/python2.4/site-packages/M2Crypto/m2urllib2.py", line 66, in https_open h.request(req.get_method(), req.get_full_url(), req.data, headers) File "/usr/lib/python2.4/httplib.py", line 810, in request self._send_request(method, url, body, headers) File "/usr/lib/python2.4/httplib.py", line 833, in _send_request self.endheaders() File "/usr/lib/python2.4/httplib.py", line 804, in endheaders self._send_output() File "/usr/lib/python2.4/httplib.py", line 685, in _send_output self.send(msg) File "/usr/lib/python2.4/httplib.py", line 652, in send self.connect() File "/usr/lib/python2.4/site-packages/M2Crypto/httpslib.py", line 47, in connect self.sock.connect((self.host, self.port)) File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 159, in connect if not check(self.get_peer_cert(), self.addr[0]): File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 86, in __call__ fieldName='subjectAltName') M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match host, expected repo.tusk.tufts.edu, got email:tuskdev@elist.tufts.edu Expected results: Successfully connecting to the yum repository Additional info: According to the m2crypto comments in the code, it should only check against the subjectAltName if the entry starts with DNS:, but it does not look like the python code checks for it. # subjectAltName=DNS:somehost[, ...]* try: subjectAltName = peerCert.get_ext('subjectAltName').get_value() if not self._splitSubjectAltName(self.host, subjectAltName): raise WrongHost(expectedHost=self.host, actualHost=subjectAltName, fieldName='subjectAltName') hostValidationPassed = True Here is the SSL certificate information: Certificate: Data: Version: 3 (0x2) Serial Number: 64562 (0xfc32) Signature Algorithm: sha1WithRSAEncryption Issuer: C=ES, ST=Barcelona, L=Barcelona, O=IPS Certification Authority s.l., O=general@ipsca.com C.I.F. B-B62210695, OU=ipsCA CLASEA1 Certification Authority, CN=ipsCA CLASEA1 Certification Authority/emailAddress=general@ipsca.com Validity Not Before: May 14 15:55:30 2009 GMT Not After : May 14 15:55:30 2011 GMT Subject: C=US, ST=Massachusetts, L=Boston, O=Tufts University, OU=TUSK, CN=repo.tusk.tufts.edu/emailAddress=tuskdev@elist.tufts.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:9e:00:5d:c0:f8:e6:5b:cb:e3:ba:a6:f0:5f:4c: 3b:bd:5c:49:dc:92:2f:47:ef:bf:d9:aa:8b:ac:87: 77:cd:1a:74:7a:2f:da:a3:6e:ae:53:9c:54:e8:2b: 25:ef:1c:c5:96:5c:24:6a:3f:07:a7:c9:ef:c8:1c: d3:c8:e3:b5:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Key Identifier: BF:0E:C2:87:9F:5D:F3:CE:3C:FA:9D:3F:2A:F4:AA:3E:1A:67:32:A1 X509v3 Authority Key Identifier: keyid:0E:07:60:D4:39:C9:1B:5B:5D:90:7B:23:C8:D2:34:9D:4A:9A:46:39 X509v3 Subject Alternative Name: email:tuskdev@elist.tufts.edu X509v3 Issuer Alternative Name: email:general@ipsca.com Netscape Comment: Organization Information NOT VALIDATED. CLASEA1 Server Certificate issued by https://www.ipsca.com/ Netscape Base Url: https://www.ipsca.com/ipsca2002/ Netscape CA Revocation Url: https://www.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl Netscape Revocation Url: https://www.ipsca.com/ipsca2002/revocationCLASEA1.html? Netscape Renewal Url: https://www.ipsca.com/ipsca2002/renewalCLASEA1.html? Netscape CA Policy Url: https://www.ipsca.com/ipsca2002/policyCLASEA1.html X509v3 CRL Distribution Points: URI:http://www.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl URI:http://wwwback.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl Authority Information Access: OCSP - URI:http://ocsp.ipsca.com/ Signature Algorithm: sha1WithRSAEncryption 3d:0a:7d:b5:31:64:2b:17:a8:d6:a3:df:ea:8d:1b:ab:b3:06: c3:c2:9c:f9:ab:d1:3c:a9:ec:60:c8:2d:f4:e7:50:26:4d:f0: 5b:34:96:d2:d3:98:34:46:71:fe:3a:fd:c5:e6:c6:00:86:e8: 2d:46:73:28:51:c0:60:64:f9:56:d0:44:11:d1:87:82:76:fd: 63:89:9d:32:ce:32:75:30:c2:fb:61:3f:62:45:cb:95:65:c7: 21:e2:63:4b:7e:89:ca:b7:96:0f:30:8b:17:af:cb:97:84:45: a7:c7:b4:00:81:83:59:a6:32:7e:9b:b2:e6:1a:4e:20:0b:4e: af:b8 -----BEGIN CERTIFICATE----- MIIGKzCCBZSgAwIBAgIDAPwyMA0GCSqGSIb3DQEBBQUAMIIBEjELMAkGA1UEBhMC RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMSkwJwYD VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLjEuMCwGA1UEChQl Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NTEuMCwGA1UECxMl aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMl aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqGSIb3 DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwNTE0MTU1NTMwWhcNMTEwNTE0 MTU1NTMwWjCBpjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMx DzANBgNVBAcTBkJvc3RvbjEZMBcGA1UEChMQVHVmdHMgVW5pdmVyc2l0eTENMAsG A1UECxMEVFVTSzEcMBoGA1UEAxMTcmVwby50dXNrLnR1ZnRzLmVkdTEmMCQGCSqG SIb3DQEJARYXdHVza2RldkBlbGlzdC50dWZ0cy5lZHUwXDANBgkqhkiG9w0BAQEF AANLADBIAkEAngBdwPjmW8vjuqbwX0w7vVxJ3JIvR++/2aqLrId3zRp0ei/ao26u U5xU6Csl7xzFllwkaj8Hp8nvyBzTyOO1kwIDAQABo4IDOjCCAzYwCQYDVR0TBAIw ADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgP4MBMGA1UdJQQMMAoGCCsG AQUFBwMBMB0GA1UdDgQWBBS/DsKHn13zzjz6nT8q9Ko+GmcyoTAfBgNVHSMEGDAW gBQOB2DUOckbW12QeyPI0jSdSppGOTAiBgNVHREEGzAZgRd0dXNrZGV2QGVsaXN0 LnR1ZnRzLmVkdTAcBgNVHRIEFTATgRFnZW5lcmFsQGlwc2NhLmNvbTByBglghkgB hvhCAQ0EZRZjT3JnYW5pemF0aW9uIEluZm9ybWF0aW9uIE5PVCBWQUxJREFURUQu IENMQVNFQTEgU2VydmVyIENlcnRpZmljYXRlIGlzc3VlZCBieSBodHRwczovL3d3 dy5pcHNjYS5jb20vMC8GCWCGSAGG+EIBAgQiFiBodHRwczovL3d3dy5pcHNjYS5j b20vaXBzY2EyMDAyLzBDBglghkgBhvhCAQQENhY0aHR0cHM6Ly93d3cuaXBzY2Eu Y29tL2lwc2NhMjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDBGBglghkgBhvhCAQME ORY3aHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi9yZXZvY2F0aW9uQ0xB U0VBMS5odG1sPzBDBglghkgBhvhCAQcENhY0aHR0cHM6Ly93d3cuaXBzY2EuY29t L2lwc2NhMjAwMi9yZW5ld2FsQ0xBU0VBMS5odG1sPzBBBglghkgBhvhCAQgENBYy aHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi9wb2xpY3lDTEFTRUExLmh0 bWwwgYMGA1UdHwR8MHowOaA3oDWGM2h0dHA6Ly93d3cuaXBzY2EuY29tL2lwc2Nh MjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDA9oDugOYY3aHR0cDovL3d3d2JhY2su aXBzY2EuY29tL2lwc2NhMjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDAyBggrBgEF BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmlwc2NhLmNvbS8wDQYJ KoZIhvcNAQEFBQADgYEAPQp9tTFkKxeo1qPf6o0bq7MGw8Kc+avRPKnsYMgt9OdQ Jk3wWzSW0tOYNEZx/jr9xebGAIboLUZzKFHAYGT5VtBEEdGHgnb9Y4mdMs4ydTDC +2E/YkXLlWXHIeJjS36JyreWDzCLF6/Ll4RFp8e0AIGDWaYyfpuy5hpOIAtOr7g= -----END CERTIFICATE-----
Additional Information	See RedHat bug 504060
Tags	fixed in 5.4 updates

range 2009-06-04 10:33 administrator ~0009438	I would suggest that you report this issue upstream at https://bugzilla.redhat.com/ - although I am not sure if yum is supposed to be able to work with that. If you do report it upstream, please point us to the bug report there (and enter this bug report's number in the "foreign issue trackers" box on https://bugzilla.redhat.com/). Thanks!

pirzyk 2009-09-07 14:56 reporter ~0009894	RedHat issued an update and errata fixing this problem: http://rhn.redhat.com/errata/RHBA-2009-1351.html Can we get m2crypto-0.16-6.el5.6 built and pushed to the CentOS yum repositories?

range 2009-09-07 15:07 administrator ~0009895	Yes, probably with the general updates after 5.4 has hit the shelves.

Date Modified	Username	Field	Change
2009-06-04 01:35	pirzyk	New Issue
2009-06-04 10:33	range	Note Added: 0009438
2009-06-04 10:33	range	Status	new => feedback
2009-09-07 14:56	pirzyk	Note Added: 0009894
2009-09-07 15:07	range	Note Added: 0009895
2009-09-07 15:07	range	Tag Attached: fixed in 5.4 updates
2009-09-07 15:07	range	Status	feedback => assigned
2009-10-17 22:40	range	Status	assigned => resolved
2009-10-17 22:40	range	Fixed in Version	=> 5.4
2009-10-17 22:40	range	Resolution	open => fixed