From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Aug 2025 09:55:40 +0000 (+0200)
Subject: s4:lib/tls: set GNUTLS_SAN_DNSNAME for self-signed certificates
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=49e179963f56e749dac4e20284dc567e382ccdb2;p=thirdparty%2Fsamba.git

s4:lib/tls: set GNUTLS_SAN_DNSNAME for self-signed certificates

It's better to include X509v3 Subject Alternative Name with
DNS names in the self-signed certificate...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 69a4189dedf..98ecb6eb134 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -110,6 +110,9 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 	TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
 				      GNUTLS_OID_X520_COMMON_NAME, 0,
 				      hostname, strlen(hostname)));
+	TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
+						      hostname, strlen(hostname),
+						      GNUTLS_FSAN_SET));
 	TLSCHECK(gnutls_x509_crt_set_key(crt, key));
 	TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
 	TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));