From: Christos Tsantilas Date: Thu, 22 Dec 2011 15:23:33 +0000 (+0200) Subject: Implement the Ssl::CommonHostName name to recurn the CN from a certificate, X-Git-Tag: BumpSslServerFirst.take02~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b49db5be83138de9b7bd47ed9aebaec5a8517a2;p=thirdparty%2Fsquid.git Implement the Ssl::CommonHostName name to recurn the CN from a certificate, suitable for use as a host name. Use this function to set the ConnStateData::sslHostName in ConnStateData::httpsPeeked method --- diff --git a/src/client_side.cc b/src/client_side.cc index 4dec7a8113..2df6815fe0 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3716,16 +3716,10 @@ ConnStateData::httpsPeeked(Comm::ConnectionPointer serverConnection) assert(ssl); Ssl::X509_Pointer serverCert(SSL_get_peer_certificate(ssl)); assert(serverCert.get() != NULL); - - char name[256] = ""; // stores common name (CN) - // TODO: What if CN is a UTF8String? See X509_NAME_get_index_by_NID(3ssl). - const int nameLen = X509_NAME_get_text_by_NID( - X509_get_subject_name(serverCert.get()), - NID_commonName, name, sizeof(name)); - assert(0 < nameLen && nameLen < static_cast(sizeof(name))); - debugs(33, 5, HERE << "found HTTPS server " << name << " at bumped " << + sslHostName = Ssl::CommonHostName(serverCert.get()); + assert(sslHostName.defined()); + debugs(33, 5, HERE << "found HTTPS server " << sslHostName << " at bumped " << *serverConnection); - sslHostName = name; pinConnection(serverConnection, NULL, NULL, false); diff --git a/src/ssl/support.cc b/src/ssl/support.cc index a6a0eebeb4..3ef5ba4d09 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1331,4 +1331,21 @@ void Ssl::readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Poin } } +const char *Ssl::CommonHostName(X509 *x509) +{ + static char name[256] = ""; // stores common name (CN) + + if (!x509) + return NULL; + + // TODO: What if CN is a UTF8String? See X509_NAME_get_index_by_NID(3ssl). + const int nameLen = X509_NAME_get_text_by_NID( + X509_get_subject_name(x509), + NID_commonName, name, sizeof(name)); + + if (nameLen > 0) + return name; + + return NULL; +} #endif /* USE_SSL */ diff --git a/src/ssl/support.h b/src/ssl/support.h index d34e1fd231..3bf0f3d799 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -167,6 +167,13 @@ int asn1timeToString(ASN1_TIME *tm, char *buf, int len); \return true if SNI set false otherwise */ bool setClientSNI(SSL *ssl, const char *fqdn); + +/** + \ingroup ServerProtocolSSLAPI + * Returns CN from the certificate, suitable for use as a host name. + * Uses static memory to temporary store the extracted name. +*/ +const char *CommonHostName(X509 *x509); } //namespace Ssl #if _SQUID_MSWIN_