s4:lib/tls: set GNUTLS_SAN_DNSNAME for self-signed certificates

It's better to include X509v3 Subject Alternative Name with
DNS names in the self-signed certificate...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 49e179963f56e749dac4e20284dc567e382ccdb2)

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 69a4189dedf06c66e2663c3aeaab32c4e2c20466..98ecb6eb134f4e30ea6661d0ec99fe366d02e740 100644 (file)
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -110,6 +110,9 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
        TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
                                      GNUTLS_OID_X520_COMMON_NAME, 0,
                                      hostname, strlen(hostname)));
+       TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
+                                                     hostname, strlen(hostname),
+                                                     GNUTLS_FSAN_SET));
        TLSCHECK(gnutls_x509_crt_set_key(crt, key));
        TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
        TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));