X509v3 SAN names length question

[Hubert Kario]

On Thursday, 9 May 2019 13:43:36 CEST Andrei Susnea wrote:
> Hi,
> 
> Using openssl 1.0.2h I'm getting SSL_ERROR_SYSCALL while trying to
> authenticate a certificate with the following SAN names configuration:
> 
> X509v3 Subject Alternative Name:
> 
>                 DNS:xxxx.xxxxxx.xxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxx.xxxxxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxx.xxx.xxxxxxxxxxx.com
> 
> 
> With the previous config, it worked:
> 
> X509v3 Subject Alternative Name:
>                 DNS:xxxxxxxxxxx-xxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxx.xxx.xxxxxxxxxxx.com,
> DNS:xxxxxxxxxxx-xxxxx.xxx.xxxxxx.xxx.xxxxxxxxxxx.com
> 
> 
> I tried upgrading to 1.0.2r with the same result.
> 
> Does anyone know if it's a name length issue with this version?
> I read you can have as many as 150 names x 25 characters < 4k.

where did you get those limits?

the certificate has expired, but https://1000-sans.badssl.com/ does verify 
otherwise with both 1.1.0i from Fedora and 1.0.2k from RHEL7:

$ faketime 'last year' openssl s_client -connect 1000-sans.badssl.com:443 -
servername 1000-sans.badssl.com -verify_hostname 1000-sans.badssl.com
...
    Verify return code: 0 (ok)

https://
longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com 
works fine too

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190509/efffdc90/attachment.sig>