diff options
| author | jim-p <jimp@pfsense.org> | 2017-04-26 09:48:26 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2017-04-26 09:50:27 -0400 |
| commit | c1a42e25a35b16821eaf88418c449741d1638c00 (patch) | |
| tree | 6d363754bca567276519511787b063bd4c71eb21 | |
| parent | 39413152f93d9eec3789ed11349cb10e49100927 (diff) | |
| download | pfsense-c1a42e25a35b16821eaf88418c449741d1638c00.zip pfsense-c1a42e25a35b16821eaf88418c449741d1638c00.tar.gz | |
Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496
| -rw-r--r-- | src/etc/inc/system.inc | 4 | ||||
| -rw-r--r-- | src/usr/local/www/system_certmanager.php | 16 |
2 files changed, 16 insertions, 4 deletions
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 3238016..a09ff9b 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1278,6 +1278,7 @@ function system_webgui_create_certificate() { $cert = array(); $cert['refid'] = uniqid(); $cert['descr'] = sprintf(gettext("webConfigurator default (%s)"), $cert['refid']); + $cert_hostname = "{$config['system']['hostname']}-{$cert['refid']}"; $dn = array( 'countryName' => "US", @@ -1285,7 +1286,8 @@ function system_webgui_create_certificate() { 'localityName' => "Locality", 'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate", 'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}", - 'commonName' => "{$config['system']['hostname']}-{$cert['refid']}"); + 'commonName' => $cert_hostname, + 'subjectAltName' => "DNS:{$cert_hostname}"); $old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */ if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")) { while ($ssl_err = openssl_error_string()) { diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php index 538d7c0..0ead77e 100644 --- a/src/usr/local/www/system_certmanager.php +++ b/src/usr/local/www/system_certmanager.php @@ -426,12 +426,20 @@ if ($_POST) { if (!empty($pconfig['dn_organizationalunit'])) { $dn['organizationalUnitName'] = $pconfig['dn_organizationalunit']; } + if (is_ipaddr($pconfig['dn_commonname'])) { + $altnames_tmp = array("IP:{$pconfig['dn_commonname']}"); + } else { + $altnames_tmp = array("DNS:{$pconfig['dn_commonname']}"); + } if (count($altnames)) { - $altnames_tmp = ""; foreach ($altnames as $altname) { - $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + // The CN is added as a SAN automatically, do not add it again. + if ($altname['value'] != $pconfig['dn_commonname']) { + $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + } } - + } + if (!empty($altnames_tmp)) { $dn['subjectAltName'] = implode(",", $altnames_tmp); } @@ -795,6 +803,8 @@ if ($act == "new" || (($_POST['save'] == gettext("Save")) && $input_errors)) { $group->addClass('repeatable'); + $group->setHelp('Enter additional identifiers for the certificate in this list. The Common Name field is automatically added to the certificate as an Alternative Name.'); + $section->add($group); $counter++; |
