summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2017-04-26 09:48:26 -0400
committerjim-p <jimp@pfsense.org>2017-04-26 09:50:27 -0400
commitc1a42e25a35b16821eaf88418c449741d1638c00 (patch)
tree6d363754bca567276519511787b063bd4c71eb21
parent39413152f93d9eec3789ed11349cb10e49100927 (diff)
downloadpfsense-c1a42e25a35b16821eaf88418c449741d1638c00.zip
pfsense-c1a42e25a35b16821eaf88418c449741d1638c00.tar.gz
Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496
-rw-r--r--src/etc/inc/system.inc4
-rw-r--r--src/usr/local/www/system_certmanager.php16
2 files changed, 16 insertions, 4 deletions
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index 3238016..a09ff9b 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -1278,6 +1278,7 @@ function system_webgui_create_certificate() {
$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = sprintf(gettext("webConfigurator default (%s)"), $cert['refid']);
+ $cert_hostname = "{$config['system']['hostname']}-{$cert['refid']}";
$dn = array(
'countryName' => "US",
@@ -1285,7 +1286,8 @@ function system_webgui_create_certificate() {
'localityName' => "Locality",
'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate",
'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}",
- 'commonName' => "{$config['system']['hostname']}-{$cert['refid']}");
+ 'commonName' => $cert_hostname,
+ 'subjectAltName' => "DNS:{$cert_hostname}");
$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */
if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")) {
while ($ssl_err = openssl_error_string()) {
diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php
index 538d7c0..0ead77e 100644
--- a/src/usr/local/www/system_certmanager.php
+++ b/src/usr/local/www/system_certmanager.php
@@ -426,12 +426,20 @@ if ($_POST) {
if (!empty($pconfig['dn_organizationalunit'])) {
$dn['organizationalUnitName'] = $pconfig['dn_organizationalunit'];
}
+ if (is_ipaddr($pconfig['dn_commonname'])) {
+ $altnames_tmp = array("IP:{$pconfig['dn_commonname']}");
+ } else {
+ $altnames_tmp = array("DNS:{$pconfig['dn_commonname']}");
+ }
if (count($altnames)) {
- $altnames_tmp = "";
foreach ($altnames as $altname) {
- $altnames_tmp[] = "{$altname['type']}:{$altname['value']}";
+ // The CN is added as a SAN automatically, do not add it again.
+ if ($altname['value'] != $pconfig['dn_commonname']) {
+ $altnames_tmp[] = "{$altname['type']}:{$altname['value']}";
+ }
}
-
+ }
+ if (!empty($altnames_tmp)) {
$dn['subjectAltName'] = implode(",", $altnames_tmp);
}
@@ -795,6 +803,8 @@ if ($act == "new" || (($_POST['save'] == gettext("Save")) && $input_errors)) {
$group->addClass('repeatable');
+ $group->setHelp('Enter additional identifiers for the certificate in this list. The Common Name field is automatically added to the certificate as an Alternative Name.');
+
$section->add($group);
$counter++;
OpenPOWER on IntegriCloud