Message 272020 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
Date	2016-08-05.09:26:34
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1470389195.49.0.571813101842.issue27691@psf.upfronthosting.co.za>
In-reply-to

Content
A X509 cert with a registered id general name in subject alternative name causes a SystemError: error return without exception set. This prevents host name validation of certs with a registered id. >>> import _ssl >>> _ssl._test_decode_cert('rid.pem') Traceback (most recent call last): File "<stdin>", line 1, in <module> SystemError: error return without exception set The problem is caused by a bug in OpenSSL's print function for general names. Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD, GEN_RID and others into a buffer. The buffer is then split at ':' into two strings. This works for all fields except for GEN_RID because OpenSSL doesn't put a ':' after 'Registered ID', https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 . _get_peer_alt_names() fails and returns NULL without setting a proper exception. It looks like we haven't had tests for GEN_RID as well as some other field types. Related Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1364268

A X509 cert with a registered id general name in subject alternative name causes a SystemError: error return without exception set. This prevents host name validation of certs with a registered id.

>>> import _ssl
>>> _ssl._test_decode_cert('rid.pem')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
SystemError: error return without exception set

The problem is caused by a bug in OpenSSL's print function for general names. Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD, GEN_RID and others into a buffer. The buffer is then split at ':' into two strings. This works for all fields except for GEN_RID because OpenSSL doesn't put a ':' after 'Registered ID', https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 . _get_peer_alt_names() fails and returns NULL without setting a proper exception.

It looks like we haven't had tests for GEN_RID as well as some other field types.

Related Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1364268

History
Date	User	Action	Args
2016-08-05 09:26:35	christian.heimes	set	recipients: + christian.heimes, janssen, pitrou, giampaolo.rodola, alex, dstufft
2016-08-05 09:26:35	christian.heimes	set	messageid: <1470389195.49.0.571813101842.issue27691@psf.upfronthosting.co.za>
2016-08-05 09:26:35	christian.heimes	link	issue27691 messages
2016-08-05 09:26:34	christian.heimes	create