On Wed, Feb 09, 2022 at 09:17:26AM +0100, Volker Schlecht wrote: > Environment: -current, snapshot downloaded Feb 8th 2022 > Architecture: amd64 > > The following command crashes > > # openssl req -key <mykeyfile> -config <myconf> -new -x509 -days 365 > -sha256 -extensions v3_ca -out <mycertfile> > openssl(59343) in free(): chunk is already free 0xa32e41b9310 > Abort trap
Could you please provide full commands and a config file that lead to this crash? We have scripts to create ca certs in our regress tests and they do not crash like that, so this must be something specific to what you have in there. > Passing the same command to eopenssl11 from ports works without issue. > > Note: > My config file contains a nameConstraints section, and if I pass in > > permitted;DNS.0=.personal.lan > permitted;URI.0=.personal.lan > > I additionally get > > 9107967210144:error:22FFF077:X509 V3 > routines:func(4095):reason(119):/usr/src/lib/libcrypto/x509/x509_alt.c:658:name=DNS.1 > value='.personal.lan' > > Changing the constraints to > > permitted;DNS.0=personal.lan > permitted;URI.0=personal.lan > > removes that error but still crashes. > > OpenSSL 1.1.1m accepts both nameConstraints. > Well, the name constraints with .personal.lan aren't legal, that's why they are rejected. OpenSSL will let you write things in there that will then fail to interoperate.
