Fake certificate version

According the RFC 5280: "When extensions are used, as expected in this profile,
version MUST be 3 (value is 2)". This patch sets the generated certificates
version to 3 when the subjectAltName extension copied from mimicking certificate.

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 55fcabe6f4f585e026a4b96e639008a8047040fe..15bedf67f9403afcb0d8c377ec9821fb696a1a53 100644 (file)
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -309,8 +309,14 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
         if (!properties.setCommonName) {
             int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
             X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); 
-            if (ext)
+            if (ext) {
                 X509_add_ext(cert.get(), ext, -1);
+                /* According the RFC 5280 using extensions requires version 3
+                   certificate.
+                   Set version value to 2 for version 3 certificates.
+                 */
+                X509_set_version(cert.get(), 2);
+            }
         }
     }