From: Stefan Metzmacher Date: Tue, 26 Aug 2025 13:22:10 +0000 (+0200) Subject: s4:lib/tls: add additional dns hostnames as GNUTLS_SAN_DNSNAME for self-signed certif... X-Git-Tag: samba-4.23.0rc3~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=20c3ccc7be78a7e1614361064b32d38694439e39;p=thirdparty%2Fsamba.git s4:lib/tls: add additional dns hostnames as GNUTLS_SAN_DNSNAME for self-signed certificates It's better to include X509v3 Subject Alternative Name with DNS names also for additional dns hostnames. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Aug 26 22:00:26 UTC 2025 on atb-devel-224 (cherry picked from commit 499656a05011a462b2e44faea7318a02c847de5e) --- diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h index 2641b62ae26..4d988af30e9 100644 --- a/source4/lib/tls/tls.h +++ b/source4/lib/tls/tls.h @@ -28,6 +28,7 @@ struct loadparm_context; void tls_cert_generate(TALLOC_CTX *mem_ctx, const char *hostname, + const char * const *additional_hostnames, const char *keyfile, const char *certfile, const char *cafile); @@ -75,6 +76,7 @@ NTSTATUS tstream_tls_params_quic_prepare(struct tstream_tls_params *tlsp); NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, const char *dns_host_name, + const char * const *additional_dns_hostnames, bool enabled, const char *key_file, const char *cert_file, diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c index b28a7cc27e3..7c2b99fbc6b 100644 --- a/source4/lib/tls/tls_tstream.c +++ b/source4/lib/tls/tls_tstream.c @@ -1495,6 +1495,7 @@ int tstream_tls_connect_recv(struct tevent_req *req, */ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, const char *dns_host_name, + const char * const *additional_dns_hostnames, bool enabled, const char *key_file, const char *cert_file, @@ -1545,6 +1546,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, if (!file_exist(ca_file)) { tls_cert_generate(tlsp, dns_host_name, + additional_dns_hostnames, key_file, cert_file, ca_file); } @@ -1667,6 +1669,7 @@ NTSTATUS tstream_tls_params_server_lpcfg(TALLOC_CTX *mem_ctx, status = tstream_tls_params_server(mem_ctx, lpcfg_dns_hostname(lp_ctx), + lpcfg_additional_dns_hostnames(lp_ctx), lpcfg_tls_enabled(lp_ctx), lpcfg_tls_keyfile(frame, lp_ctx), lpcfg_tls_certfile(frame, lp_ctx), diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c index 98ecb6eb134..08386166a55 100644 --- a/source4/lib/tls/tlscert.c +++ b/source4/lib/tls/tlscert.c @@ -39,6 +39,7 @@ */ void tls_cert_generate(TALLOC_CTX *mem_ctx, const char *hostname, + const char * const *additional_hostnames, const char *keyfile, const char *certfile, const char *cafile) { @@ -50,6 +51,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, size_t bufsize; size_t keyidsize = sizeof(keyid); time_t activation = time(NULL), expiry = activation + LIFETIME; + size_t adhn_idx; int ret; if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) { @@ -113,6 +115,17 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, hostname, strlen(hostname), GNUTLS_FSAN_SET)); + for (adhn_idx = 0; + additional_hostnames != NULL && + additional_hostnames[adhn_idx] != NULL; + adhn_idx++) + { + const char *adhn = additional_hostnames[adhn_idx]; + + TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, + adhn, strlen(adhn), + GNUTLS_FSAN_APPEND)); + } TLSCHECK(gnutls_x509_crt_set_key(crt, key)); TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial))); TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));