ASF Bugzilla – Attachment 23511 Details for
Bug 47051
"Subject Alternative Name" not used while checking certificate
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
a patch to mod_ssl search for the server's hostname in the Subject Alternative Name extension of a x509v3 certificate.
apache-2.2.11-mod_ssl-altname.patch (text/plain), 3.67 KB, created by
Björn
on 2009-04-19 05:00:33 UTC
(
hide
)
Description:
a patch to mod_ssl search for the server's hostname in the Subject Alternative Name extension of a x509v3 certificate.
Filename:
MIME Type:
Creator:
Björn
Created:
2009-04-19 05:00:33 UTC
Size:
3.67 KB
patch
obsolete
>diff -NaurwB httpd-2.2.11.orig/modules/ssl/ssl_engine_init.c httpd-2.2.11/modules/ssl/ssl_engine_init.c >--- httpd-2.2.11.orig/modules/ssl/ssl_engine_init.c 2009-04-19 13:24:04.000000000 +0200 >+++ httpd-2.2.11/modules/ssl/ssl_engine_init.c 2009-04-19 13:29:17.000000000 +0200 >@@ -830,18 +830,19 @@ > int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND; > > if (apr_fnmatch_test(cn)) { >- if (apr_fnmatch(cn, s->server_hostname, >- fnm_flags) == APR_FNM_NOMATCH) { >+ if ((apr_fnmatch(cn, s->server_hostname, >+ fnm_flags) == APR_FNM_NOMATCH) && >+ !SSL_X509_checkANs(cert, s)) { > ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, > "%s server certificate wildcard CommonName " > "(CN) `%s' does NOT match server name!?", > ssl_asn1_keystr(type), cn); > } > } >- else if (strNE(s->server_hostname, cn)) { >+ else if (strNE(s->server_hostname, cn) && !SSL_X509_checkANs(cert, s)) { > ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, >- "%s server certificate CommonName (CN) `%s' " >- "does NOT match server name!?", >+ "%s server certificate CommonName (CN) `%s' or Subject" >+ "Alternative Name do NOT match server name!?", > ssl_asn1_keystr(type), cn); > } > } >diff -NaurwB httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.c httpd-2.2.11/modules/ssl/ssl_util_ssl.c >--- httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.c 2009-04-19 13:24:04.000000000 +0200 >+++ httpd-2.2.11/modules/ssl/ssl_util_ssl.c 2009-04-19 13:31:00.000000000 +0200 >@@ -354,6 +354,47 @@ > #endif > } > >+/* check the list of possibly existing altnames for the server name */ >+BOOL SSL_X509_checkANs(X509 *cert, server_rec *s) >+{ >+#ifdef HAVE_SSL_X509V3_EXT_d2i >+ X509_EXTENSION *ext; >+ GENERAL_NAMES *gns; >+ GENERAL_NAME *gn; >+ BOOL result = FALSE; >+ int idx, i; >+ >+ if ((idx = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) < 0) >+ return FALSE; >+ ext = X509_get_ext(cert, idx); >+ if (ext == NULL) >+ return FALSE; >+ if ((gns = (GENERAL_NAMES*)X509V3_EXT_d2i(ext)) == NULL) >+ return FALSE; >+ >+ for(i = 0; i < sk_GENERAL_NAME_num(gns); i++) { >+ gn = sk_GENERAL_NAME_value(gns, i); >+ if (gn->type == GEN_DNS) { >+ if (apr_fnmatch_test(gn->d.ia5->data)) { >+ if (apr_fnmatch(gn->d.ia5->data, s->server_hostname, APR_FNM_PERIOD|APR_FNM_CASE_BLIND) != APR_FNM_NOMATCH) { >+ result = TRUE; >+ goto cleanup; >+ } >+ } else if (!strNE(s->server_hostname, gn->d.ia5->data)) { >+ result = TRUE; >+ goto cleanup; >+ } >+ } >+ } >+ >+ cleanup: >+ GENERAL_NAMES_free(gns); >+ return result; >+#else >+ return FALSE; >+#endif >+} >+ > /* retrieve subject CommonName of certificate */ > BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN) > { >diff -NaurwB httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.h httpd-2.2.11/modules/ssl/ssl_util_ssl.h >--- httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.h 2009-04-19 13:24:04.000000000 +0200 >+++ httpd-2.2.11/modules/ssl/ssl_util_ssl.h 2009-04-19 13:24:22.000000000 +0200 >@@ -85,6 +85,7 @@ > char *SSL_make_ciphersuite(apr_pool_t *, SSL *); > BOOL SSL_X509_isSGC(X509 *); > BOOL SSL_X509_getBC(X509 *, int *, int *); >+BOOL SSL_X509_checkANs(X509 *, server_rec*); > BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **); > BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *); > BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 47051
: 23511