Squid tries to generate a certificate for long domain names, which is not
possible.
According to RFC 5280 (Section A.1), the common name length in a certificate
can be at most 64 characters. Therefore it is not possible to generate a valid
certificate with the above domain name as common name.
This patch does not allow use of common names longer than 64 bytes in
setCommonName adaptation algorithm. Also In the case the openssl fails to
read subject name from mimicking certificate does not set any subject to
generated certification. (currently ssl_crtd crashes).
else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetCommonName]) == 0) {
ca->alg = Ssl::algSetCommonName;
if (param) {
+ if (strlen(param) > 64) {
+ debugs(3, DBG_CRITICAL, "FATAL: sslproxy_cert_adapt: setCommonName{" <<param << "} : using common name longer than 64 bytes is not supported");
+ self_destruct();
+ return;
+ }
ca->param = strdup(param);
}
} else {
// returns a pointer to the existing subject name. Nothing to clean here.
if (properties.mimicCert.get()) {
X509_NAME *name = X509_get_subject_name(properties.mimicCert.get());
- if (!name)
- return false;
- // X509_set_subject_name will call X509_dup for name
- X509_set_subject_name(cert.get(), name);
+ if (name) {
+ // X509_set_subject_name will call X509_dup for name
+ X509_set_subject_name(cert.get(), name);
+ }
}
if (properties.setCommonName || !properties.mimicCert.get()) {
projects / thirdparty / squid.git / commitdiff
