openssl icon indicating copy to clipboard operation
openssl copied to clipboard

Published 20 hours ago verified publisher icon openssl

Increase size limits of RFC values

Open dsoumis opened this issue 1 year ago • 0 comments

CLA: trivial

Leading edge technologies are using long names to define for example a fully qualified domain name. Thus, it is of utmost importance to replace those old limits and adapt them to the current needs.

Also max values have been defined in openssl.cnf file to prevent the binary of openssl from exiting and to provide the user with proper feedback in order to fix their input without the need of restarting the execution of the binary.

Checklist
  • [X] documentation is added or updated

dsoumis avatar Aug 10 '22 07:08 dsoumis

Do we have an authoritative source for new values?

beldmit avatar Aug 10 '22 09:08 beldmit

I have not found out an authoritative source, thus values should be discussed prior of this PR's possible merge. However, current limits can not support examples of values such as ' console-openshift-console.randomuser-cluster-0c576f1a70d454f092d8591887631748-0000.eu-de.containers.appdomain.cloud ' and similar lengthy FQDNs.

dsoumis avatar Aug 10 '22 10:08 dsoumis

One might just as well ask if we have an authoritative source for the current values ... which is seems that we may. E.g., RFC 5280's appendix A.1, that lists:

--  specifications of Upper Bounds MUST be regarded as mandatory
--  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
--  Upper Bounds

-- Upper Bounds
ub-name INTEGER ::= 32768
ub-common-name INTEGER ::= 64
ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
ub-organizational-unit-name INTEGER ::= 64
[...]
ub-emailaddress-length INTEGER ::= 255
ub-common-name-length INTEGER ::= 64
ub-country-name-alpha-length INTEGER ::= 2
ub-country-name-numeric-length INTEGER ::= 3
[...]
ub-given-name-length INTEGER ::= 16
[...]
ub-organization-name-length INTEGER ::= 64
ub-organizational-unit-name-length INTEGER ::= 32

kaduk avatar Aug 11 '22 20:08 kaduk

OTC: Should we ignore limits from RFC 5280's appendix A.1?

t8m avatar Aug 16 '22 06:08 t8m

In my opinion this is wrong and we should not ignore the limits from RFC. The FQDN does NOT have to be in CN as the FQDN should be in Subject Alt Names as DNS name instead - there should be no limit for that.

t8m avatar Aug 16 '22 06:08 t8m

OTC: Should we ignore limits from RFC 5280's appendix A.1?

No

levitte avatar Aug 16 '22 06:08 levitte

OTC: Should we ignore limits from RFC 5280's appendix A.1?

No until there is any other authority established new widely used limits.

beldmit avatar Aug 16 '22 06:08 beldmit

In my opinion this is wrong and we should not ignore the limits from RFC. The FQDN does NOT have to be in CN as the FQDN should be in Subject Alt Names as DNS name instead - there should be no limit for that.

Actually, RFC 5280 uses stronger words on the subject. From RFC 5280, 4.2.1.6. Subject Alternative Name (italics mine, for emphasis):

Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). Other options exist, including completely local definitions. Multiple name forms, and multiple instances of each name form, MAY be included. Whenever such identities are to be bound into a certificate, the subject alternative name (or issuer alternative name) extension MUST be used; however, a DNS name MAY also be represented in the subject field using the domainComponent attribute as described in Section 4.1.2.4.

levitte avatar Aug 16 '22 06:08 levitte

OTC: Unless there is a relevant authoritative source that overrides the RFC 5280 limits we aren't going to change the limits.

t8m avatar Sep 06 '22 08:09 t8m