Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL changed format of x509 outputs #167

Closed
tofu-rocketry opened this issue Jun 24, 2021 · 3 comments · Fixed by #272
Closed

OpenSSL changed format of x509 outputs #167

tofu-rocketry opened this issue Jun 24, 2021 · 3 comments · Fixed by #272
Assignees
@RedProkofiev
Labels
bug
Milestone
3.4.0

Comments

@tofu-rocketry
Copy link
Member

tofu-rocketry commented Jun 24, 2021
edited
Loading

Default output format has changed between OpenSSL versions 1.0.2 and 1.1.1. The -nameopt argument can be used, but it seems to have inconsistent results if you use the -nameopt compat format. There is the option of "negated" format options, e.g -nameopt -online, but can't find a combo that helps. This implies we'd need to check what version of OpenSSL is being used, or change the format of the subject strings everywhere.

1.0.2:

$ openssl x509 -noout -subject < /etc/grid-security/certificates/UKeScienceCA-2B.pem
subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B

$ openssl x509 -noout -nameopt compat -subject < /etc/grid-security/certificates/UKeScienceCA-2B.pem
subject= C=UK, O=eScienceCA, OU=Authority, CN=UK e-Science CA 2B

$ openssl x509 -noout -nameopt oneline -subject < /etc/grid-security/certificates/UKeScienceCA-2B.pem
subject= C = UK, O = eScienceCA, OU = Authority, CN = UK e-Science CA 2B

$ openssl x509 -noout -nameopt -oneline -subject < /etc/grid-security/certificates/UKeScienceCA-2B.pem
subject= C=UK, O=eScienceCA, OU=Authority, CN=UK e-Science CA 2B

1.1.1:

$ openssl x509 -noout -subject < /etc/grid-security/certificates/UKeScienceCA-2B.pem
subject=C = UK, O = eScienceCA, OU = Authority, CN = UK e-Science CA 2B

$ openssl x509 -noout -nameopt compat -subject < certificate.crt
subject=/C=UK/L=Didcot/O=RAL/CN=this

$ openssl x509 -noout -nameopt oneline -subject < /etc/grid-security/certificates/UKeScienceCA-2B.pem
subject=C = UK, O = eScienceCA, OU = Authority, CN = UK e-Science CA 2B

$ openssl x509 -noout -nameopt -oneline -subject < /etc/grid-security/certificates/UKeScienceCA-2B.pem
subject=/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B
@tofu-rocketry tofu-rocketry mentioned this issue Jun 24, 2021
Merged
@jrha
Copy link
Contributor

jrha commented Jun 30, 2021
edited by tofu-rocketry
Loading

See openssl/openssl#5605

https://frasertweedale.github.io/blog-redhat/posts/2019-05-28-a-dn-is-not-a-string.html

@tofu-rocketry
Copy link
Member Author

I've added the compat outputs for the different versions above. As you can see, compat isn't compatible!

CentOS 8 cloud VM seems to have 1.1.1 so it may be an issue sooner than we'd like. 🤔

[root@apel-centos-8-test ~]# rpm -aq | grep openssl
openssl-1.1.1c-15.el8.x86_64
openssl-pkcs11-0.4.10-2.el8.x86_64
openssl-libs-1.1.1c-15.el8.x86_64

I guess the fix is to take whatever input we get, break it down to a list or dict and compare those.

@jrha
Copy link
Contributor

jrha commented Jul 6, 2021

I think you should consider using PyOpenSSL.

@tofu-rocketry tofu-rocketry added this to the 3.4.0 milestone Jun 12, 2023
@tofu-rocketry tofu-rocketry modified the milestones: 3.3.1, 3.4.0 Sep 18, 2023
@RedProkofiev RedProkofiev mentioned this issue Oct 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RedProkofiev RedProkofiev

Labels
bug
Milestone
3.4.0
Development

Successfully merging a pull request may close this issue.

OpenSSL compatibility fix RedProkofiev/ssm
3 participants
@jrha @tofu-rocketry @RedProkofiev