Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate verification failing sometimes when certificate has empty subject #21156

Closed
wimdec opened this issue Jun 8, 2023 · 0 comments
Closed

Certificate verification failing sometimes when certificate has empty subject #21156

wimdec opened this issue Jun 8, 2023 · 0 comments
Labels
branch: master Merge to master branch branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 severity: regression The issue/pr is a regression from previous released version triaged: bug The issue/pr is/fixes a bug

Comments

@wimdec
Copy link
Contributor

wimdec commented Jun 8, 2023

The leaf certificate in our certificate chain currently has an empty subject.
This was verifying fine always until we updated alpine linux to version with OpenSSL 3.0.8 (from 1.1.1q).
It is also still validating fine on debian linux with OpenSSL 3.0.8.

Root cause analysis indicated that following commit caused the issue: 72ded6f

Reason is the empty subject is now always seen as an issue and returns -2. In both cases when empty subject is a or b. Which of course invalidates the compare invariant: "" < "anything" and "anything" < "".

We have a certificate chain that exactly triggers issue on alpine linux qsort that the correct certificate is not found anymore in verification.

When doing following patch, everything verification works again: #21155
@wimdec wimdec added the issue: bug report The issue was opened to report a bug label Jun 8, 2023
@wimdec wimdec changed the title Certificate validation failing sometimes when certificate has empty subject Certificate verification failing sometimes when certificate has empty subject Jun 8, 2023
@t8m t8m added branch: master Merge to master branch triaged: bug The issue/pr is/fixes a bug branch: 3.0 Merge to openssl-3.0 branch severity: regression The issue/pr is a regression from previous released version branch: 3.1 Merge to openssl-3.1 and removed issue: bug report The issue was opened to report a bug labels Jun 8, 2023
wimdec added a commit to wimdec/openssl that referenced this issue Jun 8, 2023
@wimdec
X509_NAME_cmp fix for empty name
201c8be 
CLA: trivial

Fixes openssl#21156
openssl-machine pushed a commit that referenced this issue Jun 12, 2023
@wimdec @t8m
X509_NAME_cmp fix for empty name
ef2a438 
CLA: trivial

Fixes #21156

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #21155)

(cherry picked from commit ec59752)
openssl-machine pushed a commit that referenced this issue Jun 12, 2023
@wimdec @t8m
X509_NAME_cmp fix for empty name
1cfc919 
CLA: trivial

Fixes #21156

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #21155)

(cherry picked from commit ec59752)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
branch: master Merge to master branch branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 severity: regression The issue/pr is a regression from previous released version triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t8m @wimdec