Re: Cipher strings when cert has empty CN

Mon, 27 Jul 2015 16:50:53 -0700 

I spent more time debugging the problem.
Here¹s the source snippet from 1.5.2 version of haproxy (I believe the
latest 1.5.14 has the same issue).

It seems like when cert has no CN it causes ¹sni_ctx¹ not inserted into
the binding¹s bind_conf. Then when Œssl_sock_prepare_all_ctx¹ is called,
SSL_CTX cannot be set because sni_ctx for the binding is not found.
  

1187                 xname = X509_get_subject_name(x);
1188                 i = -1;
1189                 while ((i = X509_NAME_get_index_by_NID(xname,
NID_commonName, i)) != -1) {
1190                         X509_NAME_ENTRY *entry =
X509_NAME_get_entry(xname, i);
1191                         if (ASN1_STRING_to_UTF8((unsigned char
**)&str, entry->value) >= 0) {
1192                                 order = ssl_sock_add_cert_sni(ctx, s,
str, order);
1193                                 OPENSSL_free(str);
1194                         }
1195                 }



-------------------
Sang-Min Park ­ Software Engineer
HP Helion Cloud




On 7/27/15, 12:30 PM, "Park, Sang-Min" <[email protected]> wrote:

>Hello there,
>
>While testing SSL termination with Haproxy, I came across a strange
>behavior, and wonder if this is a bug or something  expected.
>
>I have a self-signed X509 certificate without CN. So the cert looks like
>this:
>
>Certificate:
>
>    Data:
>
>        Version: 1 (0x0)
>
>        Serial Number: 11926082458965984689 (0xa581f4cf30af45b1)
>
>    Signature Algorithm: sha1WithRSAEncryption
>
>        Issuer: C=XX, L=Default City, O=Default Company Ltd
>
>        Validity
>
>            Not Before: Jul 15 22:56:12 2015 GMT
>
>            Not After : Jul 14 22:56:12 2016 GMT
>
>        Subject: C=XX, L=Default City, O=Default Company Ltd
>
>        Subject Public Key Info:
>
>            Public Key Algorithm: rsaEncryption
>
>                Public-Key: (2048 bit)
>
>                Modulus:
>
>
>Then I added cipher string in the binding.
>
>  bind 0.0.0.0:8443 ssl crt
>/var/lib/load-balancer-servo/certwithoutcn/cert.pem  no-sslv3 no-tlsv10
>no-tlsv11 ciphers DHE-RSA-AES256-SHA256
>
>Then haproxy does not honor the protocols and specified cipher string and
>the list of accepted cipher is the same as the case without
>protocol&cipher option (so it¹s openssl default). When the cert with CN
>(any CN, valid or invalid) is used, then the cipher string is correctly
>honored.
>
>Is this a bug?
>-------------------
>Sang-Min Park ­ Software Engineer
>HP Helion Cloud
>

Reply via email to