Guest

Preview Tool

Cisco Bug: CSCvs35313 - sec-509-validate-3 COPY COMMAND INCORRECTLY SUSITUTES IP ADDRESS FOR HOSTNAME ON NX9K

Last Modified

Jul 22, 2020

Products (65)

  • Cisco Nexus 9000 Series Switches
  • Cisco Nexus 92348GC-X Switch
  • Cisco Nexus 3636C-R Switch
  • Cisco Nexus 9516 Switch
  • Cisco Nexus 3548-X Switch
  • Cisco Nexus 93600CD-GX Switch
  • Cisco Nexus 3548 Switch
  • Cisco Nexus 3064 Switch
  • Cisco Nexus 9396TX Switch
  • Cisco Nexus 31108TC-V Switch
View all products in Bug Search Tool Login Required

Known Affected Releases

9.3(3) 9.3(3.90)

Description (partial)

Symptom:
Given a TLS server that only contains the hostname as the subject name in the server cert.
If you configure a hostname to ip address mapping on the NX9K:

NEXUS9K(config)# ip host fqdn-test 192.168.1.6
NEXUS9K(config)# end

And then try to copy something from that server:

copy https://fqdn-test/bogus bootflash:
Enter vrf (If no input, current vrf 'default' is considered): 
Enter username: lab

The software comes back with the following error:

curl: (60) SSL: certificate subject name 'fqdn-test' does not match target host name '192.168.1.6'
More details here: https://curl.haxx.se/docs/sslcerts.html


The problem is we didn't give the target hostname as the ip address. We used fqdn-test, this is the name in the cert which should have worked.
Somehow the code is subsituting a resolved ip address for the hostname that the customer gave.

Conditions:
1) IP HOST statement mapping IP address to the hostname of the server
2) Server cert does not have the IP address in the Subject or SAN
3) COPY command uses the server name (not the IP address)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.