Bug fix: setCommonName and alternative names

setCommonName sets CN, but that is not enough when the fake certificate containsalternative names (which Squid mimics): The browser does not accept the
resulting fake certificate because it does not contains at least one alternativename that matches the domain name.

This patch stop mimicking of "Certificate Subject Alt Name" extensions when the
setCommonName adaptation algorithm used

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 8608da568bc0422f4613214fc2ce43f3c4a141e7..e9ed33f76b959c2bee9766bcde7c25a77f49e6e4 100644 (file)
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -271,6 +271,7 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
     } else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3))
         return false;
 
+    // If the common name is not adapted, also mimic the aliases and subjectAltName
     if (properties.mimicCert.get()) {
         unsigned char *alStr;
         int alLen;
@@ -279,11 +280,13 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
             X509_alias_set1(cert.get(), alStr, alLen);
         }
 
-        // Add subjectAltName extension used to support multiple hostnames with one certificate
-        int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
-        X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); 
-        if (ext)
-            X509_add_ext(cert.get(), ext, -1);
+        if (!properties.setCommonName) {
+            // Add subjectAltName extension used to support multiple hostnames with one certificate
+            int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
+            X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); 
+            if (ext)
+                X509_add_ext(cert.get(), ext, -1);
+        }
     }
 
     return true;