From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Sat, 2 Jun 2012 00:21:53 +0000 (-0600)
Subject: Assume [] surround an IPv6 address and strip them
X-Git-Tag: BumpSslServerFirst.take08
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a962df3f11e771d248e0ded367f9c05d82286f8;p=thirdparty%2Fsquid.git

Assume [] surround an IPv6 address and strip them

Browsers such as Firefox, Chromium, and Safari prefer bare IPv6 addresses in
CNs. They generate confusing errors when they see bracketed CNs. For example:

You attempted to reach [2001:470:1:18::120], but instead you actually reached
a server identifying itself as [2001:470:1:18::120]. Chromium can say for sure
that you reached [2001:470:1:18::120], but cannot verify that that is the same
site as [2001:470:1:18::120] which you intended to reach.
---

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index de73fbc218..1ff34ebf97 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -155,9 +155,10 @@ bool Ssl::readCertFromMemory(X509_Pointer & cert, char const * bufferToRead)
 static const size_t MaxCnLen = 64;
 
 // Replace certs common name with the given
-static bool replaceCommonName(Ssl::X509_Pointer & cert, std::string const &cn)
+static bool replaceCommonName(Ssl::X509_Pointer & cert, std::string const &rawCn)
 {
-    std::string fixedCn;
+    std::string cn = rawCn;
+
     if (cn.length() > MaxCnLen) {
         // In the case the length od CN is more than the maximum supported size
         // try to use the first upper level domain.
@@ -171,10 +172,16 @@ static bool replaceCommonName(Ssl::X509_Pointer & cert, std::string const &cn)
         if (pos == std::string::npos || cn.find('.', pos + 1) == std::string::npos)
             return false;
 
-        fixedCn.append(1,'*');
+        std::string fixedCn(1, '*');
         fixedCn.append(cn.c_str() + pos);
+        cn = fixedCn;
     }
 
+    // Assume [] surround an IPv6 address and strip them because browsers such
+    // as Firefox, Chromium, and Safari prefer bare IPv6 addresses in CNs.
+    if (cn.length() > 2 && *cn.begin() == '[' && *cn.rbegin() == ']')
+        cn = cn.substr(1, cn.size()-2);
+
     X509_NAME *name = X509_get_subject_name(cert.get());
     if (!name)
         return false;
@@ -188,7 +195,7 @@ static bool replaceCommonName(Ssl::X509_Pointer & cert, std::string const &cn)
 
     // Add a new CN
     return X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
-                                      (unsigned char *)(fixedCn.empty() ? cn.c_str() : fixedCn.c_str()), -1, -1, 0);
+                                      (unsigned char *)(cn.c_str()), -1, -1, 0);
 }
 
 const char *Ssl::CertSignAlgorithmStr[] = {