[patch] a patch to mod_ssl search for the server's hostname in the Subject Alternative Name extension of a x509v3 certificate.

apache-2.2.11-mod_ssl-altname.patch (text/plain), 3.67 KB, created by Björn on 2009-04-19 05:00:33 UTC

(hide)

Description: a patch to mod_ssl search for the server's hostname in the Subject Alternative Name extension of a x509v3 certificate.

Filename:

MIME Type:

Creator: Björn

Created: 2009-04-19 05:00:33 UTC

Size: 3.67 KB

patch

obsolete

>diff -NaurwB httpd-2.2.11.orig/modules/ssl/ssl_engine_init.c httpd-2.2.11/modules/ssl/ssl_engine_init.c >--- httpd-2.2.11.orig/modules/ssl/ssl_engine_init.c 2009-04-19 13:24:04.000000000 +0200 >+++ httpd-2.2.11/modules/ssl/ssl_engine_init.c 2009-04-19 13:29:17.000000000 +0200 >@@ -830,18 +830,19 @@ > int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND; > > if (apr_fnmatch_test(cn)) { >- if (apr_fnmatch(cn, s->server_hostname, >- fnm_flags) == APR_FNM_NOMATCH) { >+ if ((apr_fnmatch(cn, s->server_hostname, >+ fnm_flags) == APR_FNM_NOMATCH) && >+ !SSL_X509_checkANs(cert, s)) { > ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, > "%s server certificate wildcard CommonName " > "(CN) `%s' does NOT match server name!?", > ssl_asn1_keystr(type), cn); > } > } >- else if (strNE(s->server_hostname, cn)) { >+ else if (strNE(s->server_hostname, cn) && !SSL_X509_checkANs(cert, s)) { > ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, >- "%s server certificate CommonName (CN) `%s' " >- "does NOT match server name!?", >+ "%s server certificate CommonName (CN) `%s' or Subject" >+ "Alternative Name do NOT match server name!?", > ssl_asn1_keystr(type), cn); > } > } >diff -NaurwB httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.c httpd-2.2.11/modules/ssl/ssl_util_ssl.c >--- httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.c 2009-04-19 13:24:04.000000000 +0200 >+++ httpd-2.2.11/modules/ssl/ssl_util_ssl.c 2009-04-19 13:31:00.000000000 +0200 >@@ -354,6 +354,47 @@ > #endif > } > >+/* check the list of possibly existing altnames for the server name */ >+BOOL SSL_X509_checkANs(X509 *cert, server_rec *s) >+{ >+#ifdef HAVE_SSL_X509V3_EXT_d2i >+ X509_EXTENSION *ext; >+ GENERAL_NAMES *gns; >+ GENERAL_NAME *gn; >+ BOOL result = FALSE; >+ int idx, i; >+ >+ if ((idx = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) < 0) >+ return FALSE; >+ ext = X509_get_ext(cert, idx); >+ if (ext == NULL) >+ return FALSE; >+ if ((gns = (GENERAL_NAMES*)X509V3_EXT_d2i(ext)) == NULL) >+ return FALSE; >+ >+ for(i = 0; i < sk_GENERAL_NAME_num(gns); i++) { >+ gn = sk_GENERAL_NAME_value(gns, i); >+ if (gn->type == GEN_DNS) { >+ if (apr_fnmatch_test(gn->d.ia5->data)) { >+ if (apr_fnmatch(gn->d.ia5->data, s->server_hostname, APR_FNM_PERIOD|APR_FNM_CASE_BLIND) != APR_FNM_NOMATCH) { >+ result = TRUE; >+ goto cleanup; >+ } >+ } else if (!strNE(s->server_hostname, gn->d.ia5->data)) { >+ result = TRUE; >+ goto cleanup; >+ } >+ } >+ } >+ >+ cleanup: >+ GENERAL_NAMES_free(gns); >+ return result; >+#else >+ return FALSE; >+#endif >+} >+ > /* retrieve subject CommonName of certificate */ > BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN) > { >diff -NaurwB httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.h httpd-2.2.11/modules/ssl/ssl_util_ssl.h >--- httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.h 2009-04-19 13:24:04.000000000 +0200 >+++ httpd-2.2.11/modules/ssl/ssl_util_ssl.h 2009-04-19 13:24:22.000000000 +0200 >@@ -85,6 +85,7 @@ > char *SSL_make_ciphersuite(apr_pool_t *, SSL *); > BOOL SSL_X509_isSGC(X509 *); > BOOL SSL_X509_getBC(X509 *, int *, int *); >+BOOL SSL_X509_checkANs(X509 *, server_rec*); > BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **); > BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); > BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); View Attachment As Diff View Attachment As Raw

This is ASF Bugzilla: the Apache Software Foundation bug system. In case of problems with the functioning of ASF Bugzilla, please contact bugzilla-admin@apache.org. Please Note: this e-mail address is only for reporting problems with ASF Bugzilla. Mail about any other subject will be silently ignored.

• • Home
  • | New
  • | Browse
  • | Search
  • |
    [?]
  • | Reports
  • | Help
  • | New Account
  • | Log In
    Remember [x]
  • | Forgot Password
    Login: [x]