From: Christos Tsantilas Date: Thu, 23 Feb 2012 19:51:38 +0000 (+0200) Subject: Bug fix: setCommonName and alternative names X-Git-Tag: BumpSslServerFirst.take05~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b7ed55fc04de3c61046c2b308b0621deb7fd627;p=thirdparty%2Fsquid.git Bug fix: setCommonName and alternative names setCommonName sets CN, but that is not enough when the fake certificate containsalternative names (which Squid mimics): The browser does not accept the resulting fake certificate because it does not contains at least one alternativename that matches the domain name. This patch stop mimicking of "Certificate Subject Alt Name" extensions when the setCommonName adaptation algorithm used --- diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc index 8608da568b..e9ed33f76b 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc @@ -271,6 +271,7 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie } else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3)) return false; + // If the common name is not adapted, also mimic the aliases and subjectAltName if (properties.mimicCert.get()) { unsigned char *alStr; int alLen; @@ -279,11 +280,13 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie X509_alias_set1(cert.get(), alStr, alLen); } - // Add subjectAltName extension used to support multiple hostnames with one certificate - int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1); - X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); - if (ext) - X509_add_ext(cert.get(), ext, -1); + if (!properties.setCommonName) { + // Add subjectAltName extension used to support multiple hostnames with one certificate + int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1); + X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); + if (ext) + X509_add_ext(cert.get(), ext, -1); + } } return true;