Bug 38859 - Generating a certificate fails if len(FQDN) > 64; join stalls
Generating a certificate fails if len(FQDN) > 64; join stalls
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Docker
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Daniel Tröder
Philipp Hahn
: interim-1
: 31368 32763 34101 34102 (view as bug list)
Depends on:
Blocks: 38887
  Show dependency treegraph
 
Reported: 2015-07-08 14:13 CEST by Dirk Wiesenthal
Modified: 2017-04-07 10:22 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
patch for security whole (927 bytes, patch)
2015-09-15 12:31 CEST, Florian Best
Details | Diff
patch for security whole (1.08 KB, patch)
2015-09-15 12:33 CEST, Florian Best
Details | Diff
patch for security whole (1.00 KB, patch)
2015-09-15 12:45 CEST, Florian Best
Details | Diff
Debian installer syslog (1.39 MB, text/plain)
2015-10-04 19:47 CEST, Stefan Gohmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2015-07-08 14:13:18 CEST
If a new system wants to join, the DC generates a certificate for it in a listener script. This certificate includes the new system's FQDN. If this FQDN is too long, the generation process exits with "CERTIFICATE: can't create certificate, Common Name too long: %s".

The joining system waits forever while trying "scp $DC:/certificate certficate" over and over again.
Comment 1 Dirk Wiesenthal univentionstaff 2015-07-08 14:24:50 CEST
Removed the check completely in
  univention-ssl 9.0.5-1.158.201507081421

FQDN is limited to somewhat 256 chars IIRC. Yet this is not the right place to check it.
Comment 2 Philipp Hahn univentionstaff 2015-07-09 08:59:54 CEST
(In reply to Dirk Wiesenthal from comment #1)
> Removed the check completely in
>   univention-ssl 9.0.5-1.158.201507081421

FAIL!

> FQDN is limited to somewhat 256 chars IIRC. Yet this is not the right place
> to check it.

Bug #38125 comment 1, especially the part about "ub-common-name"!
Comment 3 Philipp Hahn univentionstaff 2015-07-10 09:45:19 CEST
FYI: wget (<< 1.13 UCS-3.2) does not support "X509v3 Subject Alternative Name":
 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743290>
 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409938>
 <https://savannah.gnu.org/bugs/index.php?20421>

$ LANG=C wget -S -O/dev/null http://www.univention.de/en/products/ucs/app-catalogue-for-univention-corporate-server/
...
Location: https://www.univention.com/products/ucs/app-catalogue-for-univention-corporate-server/
...
ERROR: certificate common name `univention.com' doesn't match requested host name `www.univention.com'.

$ openssl s_client -connect univention.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep univention
        Subject: CN=univention.com
                DNS:univention.com, DNS:www.univention.com
Comment 4 Daniel Tröder univentionstaff 2015-09-11 18:20:31 CEST
* The openssl configuration of the ucsCA is changed to copy extensions from CSRs to certificates.
* if len(FQDN)>64 the openssl configuration for generating the certificate gets "subjectAltName" added and the hostname is used as CN.
* if len(hostname)>63 the hostname is replaced with "hostname-to-long", so non-interactive scripts and the listener don't crash, but the user notices the problem (when trying to use it).

If len(FQDN)>64 a new section is added to the resulting /etc/univention/ssl/$fqdn/cert.pem:
-----------------
X509v3 Subject Alternative Name: 
    DNS:$hostname, DNS:$hostname.$domainname
-----------------

Commit: 63663
Comment 5 Daniel Tröder univentionstaff 2015-09-15 11:43:43 CEST
Commit 63695 changes the behavior:

* the fqdn is always written to SAN
* if the length of the fqdn is >64: the hostname (w/o domain) is used for CN and added to SAN, else the fqdn is used in the CN too
* if openssl terminates with an error, an exception is raised by the listener
Comment 6 Daniel Tröder univentionstaff 2015-09-15 11:58:43 CEST
BTW: cool new FQDN: "test.exa.mpl;\"touch /mkrootshell\"" :D

But works only if initiated by creating/changing a hostname (join, UMC/UDM) → needs Administrator group level access.
Comment 7 Florian Best univentionstaff 2015-09-15 12:31:30 CEST
Created attachment 7166 [details]
patch for security whole

(In reply to Daniel Tröder from comment #6)
> BTW: cool new FQDN: "test.exa.mpl;\"touch /mkrootshell\"" :D
> 
> But works only if initiated by creating/changing a hostname (join, UMC/UDM)
> → needs Administrator group level access.

This is not nice. The attached patch should fix it?!
Comment 8 Florian Best univentionstaff 2015-09-15 12:33:32 CEST
Created attachment 7167 [details]
patch for security whole

missing argument+import
Comment 9 Florian Best univentionstaff 2015-09-15 12:45:22 CEST
Created attachment 7168 [details]
patch for security whole

More simple.
Comment 10 Daniel Tröder univentionstaff 2015-09-15 13:40:52 CEST
r63728: applied patch - thank you!
Comment 11 Philipp Hahn univentionstaff 2015-09-29 14:59:43 CEST
FAIL: UMC/UDM still complains about |FQDN|>=64
 abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ

 $ udm computers/memberserver create --position "cn=computers,$(ucr get ldap/base)" --set name=abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ --set network="$(udm networks/network list|sed -ne 's/^DN: //p;T;q')"

management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py:
1769 »···def check_common_name_length(self):                                                                        
1770 »···»···univention.debug.debug( univention.debug.ADMIN, univention.debug.INFO, 'check_common_name_length with …
1771 »···»···if len(self['ip']) > 0 and len(self['dnsEntryZoneForward']) > 0:
1772 »···»···»···for zone in self['dnsEntryZoneForward']:
1773 »···»···»···»···if zone == '':
1774 »···»···»···»···»···continue
1775 »···»···»···»···zoneName = univention.admin.uldap.explodeDn( zone[ 0 ], 1 )[ 0 ]
1776 »···»···»···»···if len(zoneName) + len(self['name']) >= 63:
1777 »···»···»···»···»···univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'simpleComputer: len…
1778 »···»···»···»···»···raise univention.admin.uexceptions.commonNameTooLong

Quote from Bug #38125 comment 1:
> Also note, that a DNS name has the following limits: 
> <http://tools.ietf.org/html/rfc1035section-2.3.4>
> > - labels          63 octets or less
> > - names           255 octets or less


FAIL: udm computers/memberserver create --position "cn=computers,$(ucr get ldap/base)" --set name=abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ
  subjectAltName is not copied from request to certificate
  → An Existing /etc/univention/ssl/openldap.conf is missing the "copy_extionsions = copy"

OK: /var/log/univention/listener.log
OK: openssl x509 -noout -subject -in cert.pem -nameopt multiline

FAIL: Deleting the host and re-adding it fails:
  $ udm computers/memberserver remove --dn "cn=abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ,cn=computers,$(ucr get ldap/base)"
  $ udm computers/memberserver create --position "cn=computers,$(ucr get ldap/base)" --set name=abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ
  $ tail /var/log/univention/listener.log
    failed to update database
    TXT_DB error number 2
    unable to write 'random state'
  This is because the certificate does not get revoked on removal
  $ . make-certificates.sh
  $ list_cert_names
  $ revoke_cert abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ
FAIL:has_valid_cert() does not work with long FQDNs:
  (. /usr/share/univention-ssl/make-certificates.sh;has_valid_cert abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname);echo $?)
  This is why the old computer certificate is not revoked!

OK: r63728
  next time no need for tempfile:
    sh -c 'echo 0=$0 1=$1 2=$2' a b c
    subprocess.call(('sh', '-c', '. /usr/share/univention-ssl/make-certificates.sh && gencert "$@"', '-', fqdn, fqdn))
  And why not use »/usr/sbin/univention-certificate new -name "$name"« as all other listener handlers do?
FAIL: r63695
  bashism vs. /bin/sh
FAIL: r63663
  subjectAltName is not copied from request to certificate as "copy_extensions = copy" does not get added to an existing /etc/univention/ssl/openssl.conf[CA_default]. This requires a new CA hierarchy to be initialized with renewing every certificate.
SKIP: r63011

FAIL: extensions-example.sh now no longer works!

...

FYI: ~phahn/BUG/38859-SSL-Check-maximum-length-of-SSL-fields.patch
Comment 12 Daniel Tröder univentionstaff 2015-10-02 16:26:27 CEST
Fixed in 64182.
Added changelog entry.
Comment 13 Daniel Tröder univentionstaff 2015-10-02 17:20:22 CEST
Missed univention-system-setup and changelog in commit. It is in 64183.
Comment 14 Philipp Hahn univentionstaff 2015-10-02 21:51:09 CEST
OK: r64182
OK: r64183

The tool is somehow inconsistent with its handling of FQDN vs. HOSTNAME:

OK: DEBIAN_FRONTEND=noninteractive aptitude -y install '?source-package(univention-system-setup)~i'
OK: maxLength @ UMC-USS
OK: DEBIAN_FRONTEND=noninteractive aptitude -y install '?source-package(univention-ssl)?not(?name(udeb))~i'
OK: univention-certificate list
OK: univention-certificate new -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname)
OK: univention-certificate new -name abcdefghijklmnopqrstuvwxyz-0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname)
OK: univention-certificate new -name abcdefghijklmnopqrstuvwxyz-01234-56789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname) # too long
OK: univention-certificate check -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ
FAIL: univention-certificate check -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname)
FAIL: univention-certificate dump -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ
OK: univention-certificate dump -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname)
FAIL: univention-certificate renew -days 31 -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ
OK: univention-certificate renew -days 31 -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname)
OK: univention-certificate revoke -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ
OK: univention-certificate revoke -name abcdefghijklmnopqrstuvwxyz0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname)

OK: python -c 'i
from M2Crypto import X509
from sys import argv
f = argv[1]
c = X509.load_cert(f)
e = c.get_ext("subjectAltName")
v = e.get_value()
a = v.split(", ")
a = [_[len("DNS:"):] for _ in a if _.startswith("DNS:")]
print a
' abcdefghijklmnopqrstuvwxyz-0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ.$(dnsdomainname)/cert.pem

OK: ucr set ssl/organization=01234567890123456789012345678901234567890123456789012345678901234
    (. /usr/share/univention-ssl/make-certificates.sh;set -x;init)
    # ssl/organization too long; max 64
FIXED: ucr set ssl/country=01 ssl/state=01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 ssl/locality=01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 ssl/organization=0123456789012345678901234567890123456789012345678901234567890123 ssl/organizationalunit=0123456789012345678901234567890123456789012345678901234567890123 ssl/email=01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 ssl/common=0123456789012345678901234567890123456789012345678901234567890123
      (. /usr/share/univention-ssl/make-certificates.sh;set -x;init)
      # -bash: $5 ist nicht gesetzt.
      # cp: reguläre Datei „ucsCA/newcerts/00.pem“ kann nicht angelegt werden: Datei oder Verzeichnis nicht gefunden
FYI: The symlink "HOSTNAME -> FQDN" is only created by the listener; using the CLI directly does not create the link automatically; it must be done manually.

r64184 | Bug #38859 ssl: Fix init()

Package: univention-ssl
Version: 10.0.0-6.163.201510022116
Branch: ucs_4.1-0
Comment 15 Stefan Gohmann univentionstaff 2015-10-04 19:46:34 CEST
The 4.1 installation now fails:

Oct  4 13:42:07 in-target: Setting up univention-ssl (10.0.0-6.163.201510022116) ...
Oct  4 13:42:07 in-target: Create ssl/country
Oct  4 13:42:07 in-target: Create ssl/state
Oct  4 13:42:07 in-target: Create ssl/locality
Oct  4 13:42:07 in-target: Create ssl/organization
Oct  4 13:42:07 in-target: Create ssl/organizationalunit
Oct  4 13:42:07 in-target: Create ssl/common
Oct  4 13:42:07 in-target: Create ssl/email
Oct  4 13:42:07 in-target: Create ssl/default/days
Oct  4 13:42:07 in-target: Create ssl/validity/warning
Oct  4 13:42:07 in-target: Create ssl/validity/check
Oct  4 13:42:07 in-target: Create ssl/default/hashfunction
Oct  4 13:42:07 in-target: Create ssl/default/bits
Oct  4 13:42:07 in-target: Sun Oct  4 09:42:07 EDT 2015
Oct  4 13:42:07 in-target: Generating RSA private key, 2048 bit long modulus
...
Oct  4 13:42:07 in-target: '
Oct  4 13:42:07 in-target: Certificate is to be certified until 
Oct  4 13:42:07 in-target: Oct  2 13:42:07 2020 GMT
Oct  4 13:42:07 in-target:  (1825 days)
Oct  4 13:42:07 in-target: 
Oct  4 13:42:07 in-target: 
Oct  4 13:42:07 in-target: Write out database with 1 new entries
Oct  4 13:42:07 in-target: Data Base Updated
Oct  4 13:42:07 in-target: /var/lib/dpkg/info/univention-ssl.postinst: line 85: configure: unbound variable
Oct  4 13:42:07 in-target: dpkg: error processing univention-ssl (--configure):
Oct  4 13:42:07 in-target:  subprocess installed post-installation script returned error exit status 1
Oct  4 13:42:07 in-target: dpkg: dependency problems prevent configuration of univention-apache:
Oct  4 13:42:07 in-target:  univention-apache depends on univention-ssl; however:
Oct  4 13:42:07 in-target:   Package univention-ssl is not configured yet.

I'm not sure if this issue is the cause for it, but some days ago the 4.1 installation worked.
Comment 16 Stefan Gohmann univentionstaff 2015-10-04 19:47:25 CEST
Created attachment 7200 [details]
Debian installer syslog
Comment 17 Stefan Gohmann univentionstaff 2015-10-05 07:19:49 CEST
(In reply to Stefan Gohmann from comment #15)
> Oct  4 13:42:07 in-target: /var/lib/dpkg/info/univention-ssl.postinst: line
> 85: configure: unbound variable

I've fixed this error: r64193

The DVD installation works again.
Comment 18 Philipp Hahn univentionstaff 2015-10-05 12:03:17 CEST
OK: ucr set ssl/host/extensions=$PWD/extensions-example.sh
OK: r64205
FIXED: sslbase=/some/where/else univention-certificate dump
 r64209 | Bug #38859 ssl: Fix hard-coded SSL base
ADDED:
 r64210 | Bug #38859 ssl: Add unit test

VERIFIED
Comment 19 Stefan Gohmann univentionstaff 2015-11-17 12:12:10 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".
Comment 20 Philipp Hahn univentionstaff 2016-06-22 13:15:37 CEST
*** Bug 31368 has been marked as a duplicate of this bug. ***
Comment 21 Philipp Hahn univentionstaff 2016-06-22 13:32:24 CEST
*** Bug 34101 has been marked as a duplicate of this bug. ***
Comment 22 Philipp Hahn univentionstaff 2016-06-22 13:38:04 CEST
*** Bug 34102 has been marked as a duplicate of this bug. ***
Comment 23 Philipp Hahn univentionstaff 2016-06-22 13:44:18 CEST
*** Bug 32763 has been marked as a duplicate of this bug. ***