Skip to content

/ pfsense

Permalink
Browse files

Always add the CN as the first SAN when creating a certificate in the… 

… GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496
  • Loading branch information
@jim-p
jim-p committed Apr 26, 2017
1 parent 4d473e1 commit cad0d5bc8da8034c4fa7f41e5476a80b0c38b04f
Unified Split
Showing with 16 additions and 4 deletions.
  1. +3 −1 src/etc/inc/system.inc
  2. +13 −3 src/usr/local/www/system_certmanager.php
4 src/etc/inc/system.inc
View file
@@ -1281,14 +1281,16 @@ function system_webgui_create_certificate() {
$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = sprintf(gettext("webConfigurator default (%s)"), $cert['refid']);
$cert_hostname = "{$config['system']['hostname']}-{$cert['refid']}";

$dn = array(
'countryName' => "US",
'stateOrProvinceName' => "State",
'localityName' => "Locality",
'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate",
'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}",
'commonName' => "{$config['system']['hostname']}-{$cert['refid']}");
'commonName' => $cert_hostname,
'subjectAltName' => "DNS:{$cert_hostname}");
$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */
if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")) {
while ($ssl_err = openssl_error_string()) {
16 src/usr/local/www/system_certmanager.php
View file
@@ -426,12 +426,20 @@
if (!empty($pconfig['dn_organizationalunit'])) {
$dn['organizationalUnitName'] = $pconfig['dn_organizationalunit'];
}
if (is_ipaddr($pconfig['dn_commonname'])) {
$altnames_tmp = array("IP:{$pconfig['dn_commonname']}");
} else {
$altnames_tmp = array("DNS:{$pconfig['dn_commonname']}");
}
if (count($altnames)) {
$altnames_tmp = "";
foreach ($altnames as $altname) {
$altnames_tmp[] = "{$altname['type']}:{$altname['value']}";
// The CN is added as a SAN automatically, do not add it again.
if ($altname['value'] != $pconfig['dn_commonname']) {
$altnames_tmp[] = "{$altname['type']}:{$altname['value']}";
}
}

}
if (!empty($altnames_tmp)) {
$dn['subjectAltName'] = implode(",", $altnames_tmp);
}

@@ -797,6 +805,8 @@

$group->addClass('repeatable');

$group->setHelp('Enter additional identifiers for the certificate in this list. The Common Name field is automatically added to the certificate as an Alternative Name.');

$section->add($group);

$counter++;

0 comments on commit cad0d5b

Please sign in to comment.