Projet

Général

Profil

« Précédent | Suivant » 

Révision 3cb773da

Ajouté par yarick123 il y a plus de 9 ans

cherry pic from 'hotfix/3347-Certificate_Authority_SAN_names_not_working':

bugfix #3347: Certificate Authority SAN names not working in 2.1

subjectAltName can be set only via configuration file - created three extra sections in openssl.cnf to use in case of existing subjectAltName.

Unfortunately it is not possible to assign empty value to subjectAltName in openssl.cnf

Voir les différences:

etc/inc/certs.inc
293 293 
			break;
294 294 
	}
295 295 

  		




  
  296
  
    
	// in case of using Subject Alternative Names use other sections (with postfix '_san')


  		




  
  297
  
    
	// pass subjectAltName over environment variable 'SAN'


  		




  
  298
  
    
	if ($dn['subjectAltName']) {


  		




  
  299
  
    
		putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file


  		




  
  300
  
    
		$cert_type .= '_san';


  		




  
  301
  
    
		unset($dn['subjectAltName']);


  		




  
  302
  
    
	}


  		




  
  303
  
    

  		




  296
  304
  
    
	$args = array(


  		




  297
  305
  
    
		"x509_extensions" => $cert_type,


  		




  298
  306
  
    
		"digest_alg" => $digest_alg,


  		












  

    
      etc/ssl/openssl.cnf
    
  





  9
  9
  
    
HOME                    = .


  		




  10
  10
  
    
RANDFILE                = $ENV::HOME/.rnd


  		




  11
  11
  
    

  		




  
  12
  
    
# default SAN value if $ENV::SAN is not defined


  		




  
  13
  
    
#


  		




  
  14
  
    
SAN                     =


  		




  
  15
  
    

  		




  12
  16
  
    
# Extra OBJECT IDENTIFIER info:


  		




  13
  17
  
    
#oid_file               = $ENV::HOME/.oid


  		




  14
  18
  
    
oid_section             = new_oids


  		




  ......




  212
  216
  
    
#nsCaPolicyUrl


  		




  213
  217
  
    
#nsSslServerName


  		




  214
  218
  
    

  		




  
  219
  
    
[ usr_cert_san ]


  		




  
  220
  
    

  		




  
  221
  
    
# copy of [ usr_cert ] plus nonempty Subject Alternative Names


  		




  
  222
  
    
basicConstraints=CA:FALSE


  		




  
  223
  
    
nsComment                       = "OpenSSL Generated User Certificate"


  		




  
  224
  
    
subjectKeyIdentifier=hash


  		




  
  225
  
    
authorityKeyIdentifier=keyid,issuer:always


  		




  
  226
  
    
subjectAltName=$ENV::SAN


  		




  
  227
  
    

  		




  215
  228
  
    
[ server ]


  		




  216
  229
  
    

  		




  217
  230
  
    
# Make a cert with nsCertType=server


  		




  ......




  223
  236
  
    
extendedKeyUsage=serverAuth


  		




  224
  237
  
    
keyUsage = digitalSignature, keyEncipherment


  		




  225
  238
  
    

  		




  
  239
  
    
[ server_san ]


  		




  
  240
  
    

  		




  
  241
  
    
# copy of [ server ] plus nonempty Subject Alternative Names


  		




  
  242
  
    
basicConstraints=CA:FALSE


  		




  
  243
  
    
nsCertType			= server


  		




  
  244
  
    
nsComment			= "OpenSSL Generated Server Certificate"


  		




  
  245
  
    
subjectKeyIdentifier=hash


  		




  
  246
  
    
authorityKeyIdentifier=keyid,issuer:always


  		




  
  247
  
    
extendedKeyUsage=serverAuth


  		




  
  248
  
    
keyUsage = digitalSignature, keyEncipherment


  		




  
  249
  
    
subjectAltName=$ENV::SAN


  		




  
  250
  
    

  		




  226
  251
  
    
[ v3_req ]


  		




  227
  252
  
    

  		




  228
  253
  
    
# Extensions to add to a certificate request


  		




  ......




  267
  292
  
    
# You can even override a supported extension:


  		




  268
  293
  
    
# basicConstraints= critical, DER:30:03:01:01:FF


  		




  269
  294
  
    

  		




  
  295
  
    
[ v3_ca_san ]


  		




  
  296
  
    

  		




  
  297
  
    
# copy of [ v3_ca ] plus nonempty Subject Alternative Names


  		




  
  298
  
    
subjectKeyIdentifier=hash


  		




  
  299
  
    
authorityKeyIdentifier=keyid:always,issuer:always


  		




  
  300
  
    
basicConstraints = CA:true


  		




  
  301
  
    
subjectAltName=$ENV::SAN


  		




  
  302
  
    

  		




  270
  303
  
    
[ crl_ext ]


  		




  271
  304
  
    

  		




  272
  305
  
    
# CRL extensions.


  		












Formats disponibles :  Unified diff