Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6124

CAA max recursion count is triggering for other checks than CNAMES

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: EJBCA 6.9.0.6
    • Fix Version/s: EJBCA 6.9.0.6
    • Component/s: None
    • Labels:
      None

      Description

      In a highly embarrassing turn of events, it turns out that the validator is rejecting long DNS strings. The point of the recursion limitation is to stop the validator from locking due to a malicious CNAME loop, but as implemented it'll add each lookup to the count.

      We should only add to the counter if a CNAME lookup is passed.

        Attachments

          Activity

            People

            Assignee:
            hsunmark Henrik Sunmark
            Reporter:
            mikek Mike Agrenius Kushner
            Verified by:
            Tomas Gustavsson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2 days
                2d
                Remaining:
                Time Spent - 1 hour Remaining Estimate - 1 day, 7 hours
                1d 7h
                Logged:
                Time Spent - 1 hour Remaining Estimate - 1 day, 7 hours
                1h