Guest

Preview Tool

Cisco Bug: CSCuw38129 - Add support for X509 Name Constraints extension Other name field

Last Modified

Feb 13, 2018

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.5(2.12901.1) 9.1(2.11900.12)

Description (partial)

Symptom:
Secure LDAP fails to bind on CUCM

Conditions:
LDAP certificate contains X509 name constraints extension with Other name field

following java exception present in ccmadmin logs

The error thrown in 9.1.2 :
==============================
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: TrustAnchor contained unsupported name constraints encountered
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1209)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:135)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:366)

Error in 10.5.2 :
================
Caused by: java.security.cert.CertificateException: the certificate chain is not trusted, Unsupported name constraints encountered
at com.rsa.sslj.x.ad.a(Unknown Source)
at com.rsa.sslj.x.ad.checkServerTrusted(Unknown Source)
at com.rsa.sslj.x.bv.a(Unknown Source)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.