From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 16 Jan 2026 10:47:06 +0000 (+0100)
Subject: BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes
X-Git-Tag: v3.4-dev3~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb5279b15470d187061b1d7be3512ca6178eba0c;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes

The problem is that the certificate is generated with a CN greater than
64 bytes when the SNI is too long, which is not suppose to be supported,
and will end up with a handshake failure.

The patch fixes the issue by avoiding to add a CN when the SNI is longer than
64 bytes. Indeed this is not a mandatory field anymore and was deprecated more
than 20 years ago. The SAN DNS is enough for this case.

Must be backported in every stable branches.
---

diff --git a/reg-tests/ssl/ssl_generate_certificate.vtc b/reg-tests/ssl/ssl_generate_certificate.vtc
index aa129546d..1f758f98a 100644
--- a/reg-tests/ssl/ssl_generate_certificate.vtc
+++ b/reg-tests/ssl/ssl_generate_certificate.vtc
@@ -150,7 +150,7 @@ client c5 -connect ${h1_clearlst_sock} {
 # Use another SNI - the server certificate should be generated and different
 # than the default one
 client c6 -connect ${h1_clearlst_sock} {
-  txreq -url "/P-384" -hdr "x-sni: unknown-sni.com"
+  txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer-sni-longer-than-64-bytes-unknown-sni.com"
   rxresp
   expect resp.status == 200
   expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c
index ccb5d1b0d..ca4b3c530 100644
--- a/src/ssl_gencert.c
+++ b/src/ssl_gencert.c
@@ -141,11 +141,14 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf
 
 	/* Set the subject name using the same, but the CN */
 	name = X509_NAME_dup(name);
-	if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
-				       (const unsigned char *)servername,
-				       -1, -1, 0) != 1) {
-		X509_NAME_free(name);
-		goto mkcert_error;
+
+	if (strlen(servername) <= 64) {
+		if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+		                              (const unsigned char *)servername,
+		                              -1, -1, 0) != 1) {
+			X509_NAME_free(name);
+			goto mkcert_error;
+		}
 	}
 	if (X509_set_subject_name(newcrt, name) != 1) {
 		X509_NAME_free(name);