Author: James Brotchie <brotchie@gmail.com>

Port of X509 certificate alias-domain handling from 2.7.

diff --git a/configure.in b/configure.in
index ac41b9893750142d533a0ccc6475b42bc52be343..83b6ebfce3733b9ed32be9817d7287690f932236 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -2537,6 +2537,7 @@ AC_CHECK_HEADERS( \
        openssl/err.h \
        openssl/md5.h \
        openssl/ssl.h \
+       openssl/x509v3.h \
        netinet/tcp.h \
        openssl/engine.h \
        ostream \

diff --git a/src/ssl_support.cc b/src/ssl_support.cc
index fa76d97e7f6eab7f368f675709b29db6c5995682..d7300683bf089b1ac5c29e9ad1cc6beced2f0173 100644 (file)
--- a/src/ssl_support.cc
+++ b/src/ssl_support.cc
@@ -157,6 +157,31 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx)
             int i;
             int found = 0;
             char cn[1024];
+
+            STACK_OF(GENERAL_NAME) * altnames;
+            altnames = (STACK*)X509_get_ext_d2i(peer_cert, NID_subject_alt_name, NULL, NULL);
+            if (altnames) {
+                int numalts = sk_GENERAL_NAME_num(altnames);
+                debugs(83, 3, "Verifying server domain " << server << " to certificate subjectAltName");
+                for (i = 0; i < numalts; i++) {
+                    const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
+                    if (check->type != GEN_DNS) {
+                        continue;
+                    }
+                    ASN1_STRING *data = check->d.dNSName;
+                    if (data->length > (int)sizeof(cn) - 1) {
+                        continue;
+                    }
+                    memcpy(cn, data->data, data->length);
+                    cn[data->length] = '\0';
+                    debugs(83, 4, "Verifying server domain " << server << " to certificate name " << cn);
+                    if (matchDomainName(server, cn[0] == '*' ? cn + 1 : cn) == 0) {
+                        found = 1;
+                        break;
+                    }
+                }
+            }
+
             X509_NAME *name = X509_get_subject_name(peer_cert);
             debugs(83, 3, "Verifying server domain " << server << " to certificate dn " << buffer);
 

diff --git a/src/ssl_support.h b/src/ssl_support.h
index 000fcda1e08ee392c26199f838c0ef44615fc8ba..58b43217ca769b2d593227bad04db06b53985707 100644 (file)
--- a/src/ssl_support.h
+++ b/src/ssl_support.h
@@ -39,6 +39,9 @@
 #if HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
 #endif
+#if HAVE_OPENSSL_X509V3_H
+#include <openssl/x509v3.h>
+#endif
 #if HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
 #endif