Sonus SBC 1k/2k generates bad multi-SAN certs

Sonus is investigating a problem where the SBC 1k/2k & SWe Lite generate bad multi-SAN CSRs. The issue results in the additional SANs being added to the certificate as a single SAN, comma-separated:

Sonus-BadCSR-highlight

Sonus-BadCert

Clearly this is a parsing error in the CSR-generating code, but unfortunately a fix isn’t immediately apparent. Separating the SANs with a space or a comma followed by a space – or even a carriage return – still results in bad certs.

Affected versions

The issue has been confirmed in the 1k/2k on 5.0.0 b395, 5.0.1 b399, 6.0.0 b435, 6.1.2 b471 & 6.1.3 b474. In the SWe Lite it’s present in at least 6.1.1 b91 & 6.1.2 b104.

Work-around

You’re in luck if you only want two SANs on the cert – its hostname and presumably an alias. The “Generate Sonus CSR” code is *automatically* adding the hostname as a SAN, so in the SAN field you only need to enter its alias and you’ll end up with a well-crafted cert with 2 SANs:

Sonus-GoodCSR

Sonus-GoodCert

If for some reason you want/need more then I think you’re toast. I’ll update the post if I get a work-around from the Sonus TAC. If you have any certs expiring soon, don’t leave it too late to replace them.

Revision History

24th September 2017. This is the initial post.

 
– G.

4 Comments

    • Did it duplicate any SANs in your CSR? I’m still having problems with it, as recently as 7.0.2 b485. If I repeat the CN as a SAN (say to appease Chrome), the SBC puts TWO copies of the SAN in the CSR.

      I’m wondering if their logic is “if the user adds a SAN to the CSR, then automatically add the CN as another SAN” – but they’re not de-duping it, so you end up with either none, or two of the same. Escalated again…

Leave a Reply

Your email address will not be published. Required fields are marked *

... and please just confirm for me that you're not a bot first: Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.