BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes

The problem is that the certificate is generated with a CN greater than
64 bytes when the SNI is too long, which is not suppose to be supported,
and will end up with a handshake failure.

The patch fixes the issue by avoiding to add a CN when the SNI is longer than
64 bytes. Indeed this is not a mandatory field anymore and was deprecated more
than 20 years ago. The SAN DNS is enough for this case.

Must be backported in every stable branches.

diff --git a/reg-tests/ssl/ssl_generate_certificate.vtc b/reg-tests/ssl/ssl_generate_certificate.vtc
index aa129546de485b545cd9e7de64a9ba953d726ade..1f758f98a791f23a1a9f31b7a7a7150f84b47201 100644 (file)
--- a/reg-tests/ssl/ssl_generate_certificate.vtc
+++ b/reg-tests/ssl/ssl_generate_certificate.vtc
@@ -150,7 +150,7 @@ client c5 -connect ${h1_clearlst_sock} {
 # Use another SNI - the server certificate should be generated and different
 # than the default one
 client c6 -connect ${h1_clearlst_sock} {
-  txreq -url "/P-384" -hdr "x-sni: unknown-sni.com"
+  txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer-sni-longer-than-64-bytes-unknown-sni.com"
   rxresp
   expect resp.status == 200
   expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"

diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c
index ccb5d1b0d6b2ee08a049979978c920fc7c85493d..ca4b3c530f4e09501c20770e319efb981899587c 100644 (file)
--- a/src/ssl_gencert.c
+++ b/src/ssl_gencert.c
@@ -141,11 +141,14 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf
 
        /* Set the subject name using the same, but the CN */
        name = X509_NAME_dup(name);
-       if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
-                                      (const unsigned char *)servername,
-                                      -1, -1, 0) != 1) {
-               X509_NAME_free(name);
-               goto mkcert_error;
+
+       if (strlen(servername) <= 64) {
+               if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+                                             (const unsigned char *)servername,
+                                             -1, -1, 0) != 1) {
+                       X509_NAME_free(name);
+                       goto mkcert_error;
+               }
        }
        if (X509_set_subject_name(newcrt, name) != 1) {
                X509_NAME_free(name);