Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-1981

With security enabled, Kudu servers cannot start at machines with len(FQDN) > 64

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.1
    • Fix Version/s: 1.3.1, 1.4.0
    • Component/s: master, tserver
    • Labels:
      None
    • Environment:
      That was noticed at machine in GCE with FQDN of 72 character length: ifi-ss-poc-cm-cdh-8d5b8302-039c-4298-8283-330a04bbe140.c.gcp-se.internal

      Description

      Due to the hard-coded restrictions in the OpenSSL library, Kudu server components cannot start on machines with FQDN > 64 character length when security is enabled:

      F0425 02:05:47.341861 14167 master_main.cc:68] Check failed: _s.ok() Bad status: Runtime error: could not generate CSR: error setting subject "common name": error:140A90A1:SSL routines:SSL_CTX_new:library has no ciphers:ssl_lib.c:1803 error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=64
      *** Check failure stack trace: ***
      

      It seems OpenSSL enforces restrictions as described at page 123 of RFC5280 https://www.rfc-editor.org/rfc/rfc5280.txt:

      --  specifications of Upper Bounds MUST be regarded as mandatory
      --  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
      --  Upper Bounds
      
      -- Upper Bounds
      ub-name INTEGER ::= 32768
      ub-common-name INTEGER ::= 64
      ub-locality-name INTEGER ::= 128
      ub-state-name INTEGER ::= 128
      ub-organization-name INTEGER ::= 64
      ub-organizational-unit-name INTEGER ::= 64
      ub-title INTEGER ::= 64
      ub-serial-number INTEGER ::= 64
      ub-match INTEGER ::= 128
      ub-emailaddress-length INTEGER ::= 255
      ub-common-name-length INTEGER ::= 64
      ub-country-name-alpha-length INTEGER ::= 2
      ub-country-name-numeric-length INTEGER ::= 3
      ub-domain-defined-attributes INTEGER ::= 4
      ub-domain-defined-attribute-type-length INTEGER ::= 8
      ub-domain-defined-attribute-value-length INTEGER ::= 128
      ub-domain-name-length INTEGER ::= 16
      ub-extension-attributes INTEGER ::= 256
      ub-e163-4-number-length INTEGER ::= 15
      ub-e163-4-sub-address-length INTEGER ::= 40
      ub-generation-qualifier-length INTEGER ::= 3
      ub-given-name-length INTEGER ::= 16
      ub-initials-length INTEGER ::= 5
      ub-integer-options INTEGER ::= 256
      ub-numeric-user-id-length INTEGER ::= 32
      ub-organization-name-length INTEGER ::= 64
      ub-organizational-unit-name-length INTEGER ::= 32
      ub-organizational-units INTEGER ::= 4
      ub-pds-name-length INTEGER ::= 16
      ub-pds-parameter-length INTEGER ::= 30
      ub-pds-physical-address-lines INTEGER ::= 6
      ub-postal-code-length INTEGER ::= 16
      ub-pseudonym INTEGER ::= 128
      ub-surname-length INTEGER ::= 40
      ub-terminal-id-length INTEGER ::= 24
      ub-unformatted-address-length INTEGER ::= 180
      ub-x121-address-length INTEGER ::= 16
      

        Attachments

          Activity

            People

            • Assignee:
              aserbin Alexey Serbin
              Reporter:
              aserbin Alexey Serbin
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: