[Privoxy-commits] [privoxy] 15/15: OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name
User Git
git at git.privoxy.org
Mon Mar 15 14:44:03 UTC 2021
This is an automated email from the git hooks/post-receive script.
git pushed a commit to branch master
in repository privoxy.
commit 7fb2856b4d81f1a6c63054cc8a002b9aa3a5fb69
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Mon Mar 15 10:34:27 2021 +0100
OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name
... Org and Org Unit if the real host name is too long to
get accepted by OpenSSL.
Prevents failures like:
2021-03-15 10:04:34.318 802816f00 Error: X509 subject name (code: CN, val: only-d-pmjr9f4mclevwwl2mwckreicm8k1afzk-1615774207025.nstool.netease.com) error: error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too
Clients should only care about the Subject Alternative Name
anyway and we can continue to use the real host name for it.
Reported by Miles Wen on privoxy-users at .
---
openssl.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/openssl.c b/openssl.c
index 97cb62a4..4dac8ea9 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1751,6 +1751,8 @@ static int generate_host_certificate(struct client_state *csp)
cert_options cert_opt;
char cert_valid_from[VALID_DATETIME_BUFLEN];
char cert_valid_to[VALID_DATETIME_BUFLEN];
+ const char *common_name;
+ enum { CERT_PARAM_COMMON_NAME_MAX = 64 };
/* Paths to keys and certificates needed to create certificate */
cert_opt.issuer_key = NULL;
@@ -1866,8 +1868,15 @@ static int generate_host_certificate(struct client_state *csp)
goto exit;
}
+ /*
+ * Make sure OpenSSL doesn't reject the common name due to its length.
+ * The clients should only care about the Subject Alternative Name anyway
+ * and we always use the real host name for that.
+ */
+ common_name = (strlen(csp->http->host) > CERT_PARAM_COMMON_NAME_MAX) ?
+ CGI_SITE_2_HOST : csp->http->host;
if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_COMMON_NAME_FCODE,
- MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+ MBSTRING_ASC, (void *)common_name, -1, -1, 0))
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
@@ -1876,7 +1885,7 @@ static int generate_host_certificate(struct client_state *csp)
goto exit;
}
if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORGANIZATION_FCODE,
- MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+ MBSTRING_ASC, (void *)common_name, -1, -1, 0))
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
@@ -1885,7 +1894,7 @@ static int generate_host_certificate(struct client_state *csp)
goto exit;
}
if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORG_UNIT_FCODE,
- MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+ MBSTRING_ASC, (void *)common_name, -1, -1, 0))
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Privoxy-commits
mailing list