Bug in SubjectAltName field extractor (invalid X509_get_ext_by_NID usage) #1946

Jean-Daniel · Mar 20, 2017

Issue type

Defect - Unexpected behaviour (obvious or verified by project member).

Defect/Feature description

The eap-TLS module is supposed to extract "TLS-Client-Cert-Subject-Alt-Name" from the certificate when available.

Unfortunately, if the alt name extension is the first one in the certificate, the TLS module fails to read it and ignore the alt names completely.

The bug reside in src/tls.c:961:

loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, 0);

When looking for an attribute, the last parameter of X509_get_ext_by_NID() must be -1 and not 0.

When passing 0, the lookup starts at position 1 and ignore the first extension.

alandekok added a commit that referenced this issue Mar 20, 2017

alandekok Search from the beginning for altname. Closes #1946

This commit was signed with a verified signature.

alandekok Alan DeKok

GPG key ID: 7D0E79CD77621ECD Learn about signing commits

dae5661

alandekok closed this Mar 20, 2017

FreeRADIUS/freeradius-server

Bug in SubjectAltName field extractor (invalid X509_get_ext_by_NID usage) #1946

Jean-Daniel commented Mar 20, 2017 • edited

alandekok added a commit that referenced this issue Mar 20, 2017

alandekok closed this Mar 20, 2017

FreeRADIUS/freeradius-server

Join GitHub today

Bug in SubjectAltName field extractor (invalid X509_get_ext_by_NID usage) #1946

Comments

Jean-Daniel commented Mar 20, 2017 • edited

Issue type

Defect/Feature description

alandekok added a commit that referenced this issue Mar 20, 2017

alandekok closed this Mar 20, 2017