[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#904684: marked as done (ssl-cert: HostName length check is too small)

Your message dated Mon, 28 Dec 2020 13:02:05 +0100
with message-id <3c431f4d-e621-01f7-04b3-8b31bc81d4e1@sfritsch.de>
and subject line Re: Bug#904684: ssl-cert: HostName length check is too small
has caused the Debian Bug report #904684,
regarding ssl-cert: HostName length check is too small
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
904684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904684
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: ssl-cert
Version: 1.0.39
Severity: normal

In the make_snakeoil() funtion, the code gets the FQDN of the system
via a call to 'hostname -f'. Then it checks if this the FQDN is longer
than 64 characters, and if it is, uses the short hostname.

However, a FQDN can be up to 255 octets per RFC 1035, Section 2.3.4:

	2.3.4. Size limits

	Various objects and parameters in the DNS have size limits.  They are
	listed below.  Some could be easily changed, others are more
	fundamental.

	labels          63 octets or less
	names           255 octets or less
	TTL             positive values of a signed 32 bit number.


    https://tools.ietf.org/html/rfc1035
    https://stackoverflow.com/questions/32290167/

The 64 octet limit is for each sub-component:

	part1.partb.foo.example.com

So the each of "part1", "foo", etc, must less than 64, and the entire
FQDN string must be less than 255.

But that is not what the script is checking: it is seeing if the 
entire FQDN string is less than 64--which is about four times too short.


-- System Information:
Debian Release: 9.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-7-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ssl-cert depends on:
ii  adduser                3.115
ii  debconf [debconf-2.0]  1.5.61
ii  openssl                1.1.0f-3+deb9u2

ssl-cert recommends no packages.

Versions of packages ssl-cert suggests:
pn  openssl-blacklist  <none>

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Hi,

sorry for the late response.

Am 26.07.18 um 17:47 schrieb David Magda:

Package: ssl-cert
Version: 1.0.39
Severity: normal

In the make_snakeoil() funtion, the code gets the FQDN of the system
via a call to 'hostname -f'. Then it checks if this the FQDN is longer
than 64 characters, and if it is, uses the short hostname.

However, a FQDN can be up to 255 octets per RFC 1035, Section 2.3.4:





But that is not what the script is checking: it is seeing if the
entire FQDN string is less than 64--which is about four times too short.
It's not the DNS name limit that is enforced here but the length limit of the "common name" attribute of a X509 certificate. The full name is still put into the SubjectAltName attribute, which has no such length limit. I think the current behavior is correct here. I will put a comment in the script to make it clearer. 

Therefore I am closing the report.

Cheers,
Stefan

--- End Message ---
Reply to: