From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Fri, 23 Mar 2012 14:27:31 +0000 (+0200)
Subject: Fake certificate version
X-Git-Tag: BumpSslServerFirst.take08~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a874fbd28e568f64eff3e62a8e2ccd656646ef4;p=thirdparty%2Fsquid.git

Fake certificate version

According the RFC 5280: "When extensions are used, as expected in this profile,
version MUST be 3 (value is 2)". This patch sets the generated certificates
version to 3 when the subjectAltName extension copied from mimicking certificate.
---

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 55fcabe6f4..15bedf67f9 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -309,8 +309,14 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
         if (!properties.setCommonName) {
             int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
             X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); 
-            if (ext)
+            if (ext) {
                 X509_add_ext(cert.get(), ext, -1);
+                /* According the RFC 5280 using extensions requires version 3
+                   certificate.
+                   Set version value to 2 for version 3 certificates.
+                 */
+                X509_set_version(cert.get(), 2);
+            }
         }
     }