s4:lib/tls: add additional dns hostnames as GNUTLS_SAN_DNSNAME for self-signed certif...

It's better to include X509v3 Subject Alternative Name with
DNS names also for additional dns hostnames.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug 26 22:00:26 UTC 2025 on atb-devel-224

diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h
index 2e7515115e58f0a84fe1b578915968b3bf8fa464..d835491140212287d97ca1dcabdeed4622a6f160 100644 (file)
--- a/source4/lib/tls/tls.h
+++ b/source4/lib/tls/tls.h
@@ -28,6 +28,7 @@ struct loadparm_context;
 
 void tls_cert_generate(TALLOC_CTX *mem_ctx,
                       const char *hostname,
+                      const char * const *additional_hostnames,
                       const char *keyfile, const char *certfile,
                       const char *cafile);
 
@@ -75,6 +76,7 @@ NTSTATUS tstream_tls_params_quic_prepare(struct tstream_tls_params *tlsp);
 
 NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
                                   const char *dns_host_name,
+                                  const char * const *additional_dns_hostnames,
                                   bool enabled,
                                   const char *key_file,
                                   const char *cert_file,

diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index 298b76d2439b3517ae99766a8cec9e880aa56231..f91388947c2f1a59eaf5edd9e5fb0938f24de20b 100644 (file)
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -1516,6 +1516,7 @@ int tstream_tls_connect_recv(struct tevent_req *req,
 */
 NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
                                   const char *dns_host_name,
+                                  const char * const *additional_dns_hostnames,
                                   bool enabled,
                                   const char *key_file,
                                   const char *cert_file,
@@ -1566,6 +1567,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
 
        if (!file_exist(ca_file)) {
                tls_cert_generate(tlsp, dns_host_name,
+                                 additional_dns_hostnames,
                                  key_file, cert_file, ca_file);
        }
 
@@ -1688,6 +1690,7 @@ NTSTATUS tstream_tls_params_server_lpcfg(TALLOC_CTX *mem_ctx,
 
        status = tstream_tls_params_server(mem_ctx,
                                           lpcfg_dns_hostname(lp_ctx),
+                                          lpcfg_additional_dns_hostnames(lp_ctx),
                                           lpcfg_tls_enabled(lp_ctx),
                                           lpcfg_tls_keyfile(frame, lp_ctx),
                                           lpcfg_tls_certfile(frame, lp_ctx),

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 98ecb6eb134f4e30ea6661d0ec99fe366d02e740..08386166a5594fb64afa4181bd96dfcce52b10ce 100644 (file)
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -39,6 +39,7 @@
 */
 void tls_cert_generate(TALLOC_CTX *mem_ctx, 
                       const char *hostname, 
+                      const char * const *additional_hostnames,
                       const char *keyfile, const char *certfile,
                       const char *cafile)
 {
@@ -50,6 +51,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
        size_t bufsize;
        size_t keyidsize = sizeof(keyid);
        time_t activation = time(NULL), expiry = activation + LIFETIME;
+       size_t adhn_idx;
        int ret;
 
        if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
@@ -113,6 +115,17 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
        TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
                                                      hostname, strlen(hostname),
                                                      GNUTLS_FSAN_SET));
+       for (adhn_idx = 0;
+            additional_hostnames != NULL &&
+            additional_hostnames[adhn_idx] != NULL;
+            adhn_idx++)
+       {
+               const char *adhn = additional_hostnames[adhn_idx];
+
+               TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
+                                                             adhn, strlen(adhn),
+                                                             GNUTLS_FSAN_APPEND));
+       }
        TLSCHECK(gnutls_x509_crt_set_key(crt, key));
        TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
        TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));