View Issue Details

IDProjectCategoryView StatusLast Update
0003664CentOS-5m2cryptopublic2009-10-17 22:40
Reporterpirzyk 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.3 
Target VersionFixed in Version5.4 
Summary0003664: m2crypto does not handle subjectAltName having non DNS:xxx entries
DescriptionVersion-Release number of selected component (if applicable):
0.16-6.el5.3

How reproducible:
All the time

Steps to Reproduce:
1. Get a SSL Certificate from IPSca for a yum repository
2. Setup the yum repository
3. Configure RHEL client to connect to the yum repository

Actual results:
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 229, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 104, in main
    result, resultmsgs = base.doCommands()
  File "/usr/share/yum-cli/cli.py", line 339, in doCommands
    self._getTs(needTsRemove)
  File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 101, in _getTs
    self._getTsInfo(remove_only)
  File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 112, in
_getTsInfo
    pkgSack = self.pkgSack
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 591, in
<lambda>
    pkgSack = property(fget=lambda self: self._getSacks(),
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 434, in
_getSacks
    self.repos.populateSack(which=repos)
  File "/usr/lib/python2.4/site-packages/yum/repos.py", line 251, in
populateSack
    sack.populate(repo, mdtype, callback, cacheonly)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 159, in populate
    if self._check_db_version(repo, mydbtype):
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 216, in
_check_db_version
    return repo._check_db_version(mdtype)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 966, in
_check_db_version
    repoXML = self.repoXML
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1124, in
<lambda>
    repoXML = property(fget=lambda self: self._getRepoXML(),
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1116, in
_getRepoXML
    self._loadRepoXML(text=self)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1106, in
_loadRepoXML
    return self._groupLoadRepoXML(text, ["primary"])
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1090, in
_groupLoadRepoXML
    if self._commonLoadRepoXML(text):
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 941, in
_commonLoadRepoXML
    result = self._getFileRepoXML(local, text)
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 812, in
_getFileRepoXML
    cache=self.http_caching == 'all')
  File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 687, in _getFile
    http_headers=headers,
  File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 412, in
urlgrab
    return self._mirror_try(func, url, kw)
  File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 398, in
_mirror_try
    return func_ref( *(fullurl,), **kwargs )
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 934, in
urlgrab
    return self._retry(opts, retryfunc, url, filename)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 852, in
_retry
    r = apply(func, (opts,) + args, {})
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 920, in
retryfunc
    fo = URLGrabberFileObject(url, filename, opts)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1008, in
__init__
    self._do_open()
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1091, in
_do_open
    fo, hdr = self._make_request(req, opener)
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1200, in
_make_request
    fo = opener.open(req)
  File "/usr/lib/python2.4/urllib2.py", line 358, in open
    response = self._open(req, data)
  File "/usr/lib/python2.4/urllib2.py", line 376, in _open
    '_open', req)
  File "/usr/lib/python2.4/urllib2.py", line 337, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.4/site-packages/M2Crypto/m2urllib2.py", line 66, in
https_open
    h.request(req.get_method(), req.get_full_url(), req.data, headers)
  File "/usr/lib/python2.4/httplib.py", line 810, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.4/httplib.py", line 833, in _send_request
    self.endheaders()
  File "/usr/lib/python2.4/httplib.py", line 804, in endheaders
    self._send_output()
  File "/usr/lib/python2.4/httplib.py", line 685, in _send_output
    self.send(msg)
  File "/usr/lib/python2.4/httplib.py", line 652, in send
    self.connect()
  File "/usr/lib/python2.4/site-packages/M2Crypto/httpslib.py", line 47, in
connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 159,
in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 86, in
__call__
    fieldName='subjectAltName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match
host, expected repo.tusk.tufts.edu, got email:tuskdev@elist.tufts.edu

Expected results:
Successfully connecting to the yum repository

Additional info:

According to the m2crypto comments in the code, it should only check against
the subjectAltName if the entry starts with DNS:, but it does not look like the
python code checks for it.

            # subjectAltName=DNS:somehost[, ...]*
            try:
                subjectAltName = peerCert.get_ext('subjectAltName').get_value()
                if not self._splitSubjectAltName(self.host, subjectAltName):
                    raise WrongHost(expectedHost=self.host,
                                    actualHost=subjectAltName,
                                    fieldName='subjectAltName')
                hostValidationPassed = True



Here is the SSL certificate information:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 64562 (0xfc32)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=Barcelona, L=Barcelona, O=IPS Certification Authority
s.l., O=general@ipsca.com C.I.F. B-B62210695, OU=ipsCA CLASEA1 Certification
Authority, CN=ipsCA CLASEA1 Certification
Authority/emailAddress=general@ipsca.com
        Validity
            Not Before: May 14 15:55:30 2009 GMT
            Not After : May 14 15:55:30 2011 GMT
        Subject: C=US, ST=Massachusetts, L=Boston, O=Tufts University, OU=TUSK,
CN=repo.tusk.tufts.edu/emailAddress=tuskdev@elist.tufts.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:9e:00:5d:c0:f8:e6:5b:cb:e3:ba:a6:f0:5f:4c:
                    3b:bd:5c:49:dc:92:2f:47:ef:bf:d9:aa:8b:ac:87:
                    77:cd:1a:74:7a:2f:da:a3:6e:ae:53:9c:54:e8:2b:
                    25:ef:1c:c5:96:5c:24:6a:3f:07:a7:c9:ef:c8:1c:
                    d3:c8:e3:b5:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                BF:0E:C2:87:9F:5D:F3:CE:3C:FA:9D:3F:2A:F4:AA:3E:1A:67:32:A1
            X509v3 Authority Key Identifier:
               
keyid:0E:07:60:D4:39:C9:1B:5B:5D:90:7B:23:C8:D2:34:9D:4A:9A:46:39

            X509v3 Subject Alternative Name:
                email:tuskdev@elist.tufts.edu
            X509v3 Issuer Alternative Name:
                email:general@ipsca.com
            Netscape Comment:
                Organization Information NOT VALIDATED. CLASEA1 Server
Certificate issued by https://www.ipsca.com/
            Netscape Base Url:
                https://www.ipsca.com/ipsca2002/
            Netscape CA Revocation Url:
                https://www.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl
            Netscape Revocation Url:
                https://www.ipsca.com/ipsca2002/revocationCLASEA1.html?
            Netscape Renewal Url:
                https://www.ipsca.com/ipsca2002/renewalCLASEA1.html?
            Netscape CA Policy Url:
                https://www.ipsca.com/ipsca2002/policyCLASEA1.html
            X509v3 CRL Distribution Points:
                URI:http://www.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl
                URI:http://wwwback.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl

            Authority Information Access:
                OCSP - URI:http://ocsp.ipsca.com/

    Signature Algorithm: sha1WithRSAEncryption
        3d:0a:7d:b5:31:64:2b:17:a8:d6:a3:df:ea:8d:1b:ab:b3:06:
        c3:c2:9c:f9:ab:d1:3c:a9:ec:60:c8:2d:f4:e7:50:26:4d:f0:
        5b:34:96:d2:d3:98:34:46:71:fe:3a:fd:c5:e6:c6:00:86:e8:
        2d:46:73:28:51:c0:60:64:f9:56:d0:44:11:d1:87:82:76:fd:
        63:89:9d:32:ce:32:75:30:c2:fb:61:3f:62:45:cb:95:65:c7:
        21:e2:63:4b:7e:89:ca:b7:96:0f:30:8b:17:af:cb:97:84:45:
        a7:c7:b4:00:81:83:59:a6:32:7e:9b:b2:e6:1a:4e:20:0b:4e:
        af:b8
-----BEGIN CERTIFICATE-----
MIIGKzCCBZSgAwIBAgIDAPwyMA0GCSqGSIb3DQEBBQUAMIIBEjELMAkGA1UEBhMC
RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMSkwJwYD
VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLjEuMCwGA1UEChQl
Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NTEuMCwGA1UECxMl
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMl
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqGSIb3
DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwNTE0MTU1NTMwWhcNMTEwNTE0
MTU1NTMwWjCBpjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMx
DzANBgNVBAcTBkJvc3RvbjEZMBcGA1UEChMQVHVmdHMgVW5pdmVyc2l0eTENMAsG
A1UECxMEVFVTSzEcMBoGA1UEAxMTcmVwby50dXNrLnR1ZnRzLmVkdTEmMCQGCSqG
SIb3DQEJARYXdHVza2RldkBlbGlzdC50dWZ0cy5lZHUwXDANBgkqhkiG9w0BAQEF
AANLADBIAkEAngBdwPjmW8vjuqbwX0w7vVxJ3JIvR++/2aqLrId3zRp0ei/ao26u
U5xU6Csl7xzFllwkaj8Hp8nvyBzTyOO1kwIDAQABo4IDOjCCAzYwCQYDVR0TBAIw
ADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgP4MBMGA1UdJQQMMAoGCCsG
AQUFBwMBMB0GA1UdDgQWBBS/DsKHn13zzjz6nT8q9Ko+GmcyoTAfBgNVHSMEGDAW
gBQOB2DUOckbW12QeyPI0jSdSppGOTAiBgNVHREEGzAZgRd0dXNrZGV2QGVsaXN0
LnR1ZnRzLmVkdTAcBgNVHRIEFTATgRFnZW5lcmFsQGlwc2NhLmNvbTByBglghkgB
hvhCAQ0EZRZjT3JnYW5pemF0aW9uIEluZm9ybWF0aW9uIE5PVCBWQUxJREFURUQu
IENMQVNFQTEgU2VydmVyIENlcnRpZmljYXRlIGlzc3VlZCBieSBodHRwczovL3d3
dy5pcHNjYS5jb20vMC8GCWCGSAGG+EIBAgQiFiBodHRwczovL3d3dy5pcHNjYS5j
b20vaXBzY2EyMDAyLzBDBglghkgBhvhCAQQENhY0aHR0cHM6Ly93d3cuaXBzY2Eu
Y29tL2lwc2NhMjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDBGBglghkgBhvhCAQME
ORY3aHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi9yZXZvY2F0aW9uQ0xB
U0VBMS5odG1sPzBDBglghkgBhvhCAQcENhY0aHR0cHM6Ly93d3cuaXBzY2EuY29t
L2lwc2NhMjAwMi9yZW5ld2FsQ0xBU0VBMS5odG1sPzBBBglghkgBhvhCAQgENBYy
aHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi9wb2xpY3lDTEFTRUExLmh0
bWwwgYMGA1UdHwR8MHowOaA3oDWGM2h0dHA6Ly93d3cuaXBzY2EuY29tL2lwc2Nh
MjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDA9oDugOYY3aHR0cDovL3d3d2JhY2su
aXBzY2EuY29tL2lwc2NhMjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDAyBggrBgEF
BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmlwc2NhLmNvbS8wDQYJ
KoZIhvcNAQEFBQADgYEAPQp9tTFkKxeo1qPf6o0bq7MGw8Kc+avRPKnsYMgt9OdQ
Jk3wWzSW0tOYNEZx/jr9xebGAIboLUZzKFHAYGT5VtBEEdGHgnb9Y4mdMs4ydTDC
+2E/YkXLlWXHIeJjS36JyreWDzCLF6/Ll4RFp8e0AIGDWaYyfpuy5hpOIAtOr7g=
-----END CERTIFICATE-----
Additional InformationSee RedHat bug 504060
Tagsfixed in 5.4 updates

Activities

range

range

2009-06-04 10:33

administrator   ~0009438

I would suggest that you report this issue upstream at https://bugzilla.redhat.com/ - although I am not sure if yum is supposed to be able to work with that.

If you do report it upstream, please point us to the bug report there (and enter this bug report's number in the "foreign issue trackers" box on https://bugzilla.redhat.com/).

Thanks!
pirzyk

pirzyk

2009-09-07 14:56

reporter   ~0009894

RedHat issued an update and errata fixing this problem:

http://rhn.redhat.com/errata/RHBA-2009-1351.html

Can we get m2crypto-0.16-6.el5.6 built and pushed to the CentOS yum repositories?
range

range

2009-09-07 15:07

administrator   ~0009895

Yes, probably with the general updates after 5.4 has hit the shelves.

Issue History

Date Modified Username Field Change
2009-06-04 01:35 pirzyk New Issue
2009-06-04 10:33 range Note Added: 0009438
2009-06-04 10:33 range Status new => feedback
2009-09-07 14:56 pirzyk Note Added: 0009894
2009-09-07 15:07 range Note Added: 0009895
2009-09-07 15:07 range Tag Attached: fixed in 5.4 updates
2009-09-07 15:07 range Status feedback => assigned
2009-10-17 22:40 range Status assigned => resolved
2009-10-17 22:40 range Fixed in Version => 5.4
2009-10-17 22:40 range Resolution open => fixed