]> git.ipfire.org Git - thirdparty/haproxy.git/commit
projects / thirdparty / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fbc98eb) | patch
BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes
authorWilliam Lallemand <wlallemand@haproxy.com>
Fri, 16 Jan 2026 10:47:06 +0000 (11:47 +0100)
committerWilliam Lallemand <wlallemand@haproxy.com>
Wed, 21 Jan 2026 09:45:22 +0000 (10:45 +0100)
commiteb5279b15470d187061b1d7be3512ca6178eba0c
tree1dd9abcaddc483a3f0ebddcb33c77b26231bff70tree | snapshot
parentfbc98ebcdaefd4c024b33194640350ba0c348567commit | diff
BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes

The problem is that the certificate is generated with a CN greater than
64 bytes when the SNI is too long, which is not suppose to be supported,
and will end up with a handshake failure.

The patch fixes the issue by avoiding to add a CN when the SNI is longer than
64 bytes. Indeed this is not a mandatory field anymore and was deprecated more
than 20 years ago. The SAN DNS is enough for this case.

Must be backported in every stable branches.
reg-tests/ssl/ssl_generate_certificate.vtc diff | blob | blame | history
src/ssl_gencert.c diff | blob | blame | history
Mirror of https://github.com/haproxy/haproxy.git