From: Michael R Sweet <michaelrsweet@gmail.com>
Date: Tue, 19 Feb 2019 20:04:36 +0000 (-0500)
Subject: Add subject alternate names for self-signed certificates (Issue #5525)
X-Git-Tag: v2.3b8~105
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1df7a46155d3219536faf708bcf99b58ac5d88f7;p=thirdparty%2Fcups.git

Add subject alternate names for self-signed certificates (Issue #5525)
---

diff --git a/CHANGES.md b/CHANGES.md
index 5a73a2365d..6fcf798dec 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,8 @@ Changes in CUPS v2.3b8
 - Non-Kerberized printing to Windows via IPP was broken (Issue #5515)
 - Eliminated use of private headers and some deprecated macOS APIs (Issue #5516)
 - Added a USB quirks rule for Xerox printers (Issue #5523)
+- The scheduler's self-signed certificate did not include all of the alternate
+  names for the server when using GNU TLS (Issue #5525)
 - Localization updates (Issue #5461, Issues #5471, Issue #5481, Issue #5486,
   Issue #5489, Issue #5491, Issue #5492, Issue #5493, Issue #5494, Issue #5495,
   Issue #5497, Issue #5499, Issue #5500, Issue #5501, Issue #5504)
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 8e45db27b7..4adf4db0b5 100644
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -168,8 +168,31 @@ cupsMakeServerCredentials(
   gnutls_x509_crt_set_activation_time(crt, curtime);
   gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
   gnutls_x509_crt_set_ca_status(crt, 0);
+  gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, common_name, (unsigned)strlen(common_name), GNUTLS_FSAN_SET);
+  if (!strchr(common_name, '.'))
+  {
+   /*
+    * Add common_name.local to the list, too...
+    */
+
+    char localname[256];                /* hostname.local */
+
+    snprintf(localname, sizeof(localname), "%s.local", common_name);
+    gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, localname, (unsigned)strlen(localname), GNUTLS_FSAN_APPEND);
+  }
+  gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "localhost", 9, GNUTLS_FSAN_APPEND);
   if (num_alt_names > 0)
-    gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
+  {
+    int i;                              /* Looping var */
+
+    for (i = 0; i < num_alt_names; i ++)
+    {
+      if (strcmp(alt_names[i], "localhost"))
+      {
+        gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, alt_names[i], (unsigned)strlen(alt_names[i]), GNUTLS_FSAN_APPEND);
+      }
+    }
+  }
   gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
   gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
   gnutls_x509_crt_set_version(crt, 3);