diff options
| author | jim-p <jimp@pfsense.org> | 2017-04-26 09:48:26 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2017-04-26 09:50:20 -0400 |
| commit | cad0d5bc8da8034c4fa7f41e5476a80b0c38b04f (patch) | |
| tree | 1371781d59dd5fef6b3508d2aa0aa2fe667dee33 | |
| parent | 4d473e17ddd8b894c11d1e9a677e7dde9476a671 (diff) | |
| download | pfsense-cad0d5bc8da8034c4fa7f41e5476a80b0c38b04f.zip pfsense-cad0d5bc8da8034c4fa7f41e5476a80b0c38b04f.tar.gz | |
Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496
| -rw-r--r-- | src/etc/inc/system.inc | 4 | ||||
| -rw-r--r-- | src/usr/local/www/system_certmanager.php | 16 |
2 files changed, 16 insertions, 4 deletions
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 1e12513..22af5ae 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1281,6 +1281,7 @@ function system_webgui_create_certificate() { $cert = array(); $cert['refid'] = uniqid(); $cert['descr'] = sprintf(gettext("webConfigurator default (%s)"), $cert['refid']); + $cert_hostname = "{$config['system']['hostname']}-{$cert['refid']}"; $dn = array( 'countryName' => "US", @@ -1288,7 +1289,8 @@ function system_webgui_create_certificate() { 'localityName' => "Locality", 'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate", 'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}", - 'commonName' => "{$config['system']['hostname']}-{$cert['refid']}"); + 'commonName' => $cert_hostname, + 'subjectAltName' => "DNS:{$cert_hostname}"); $old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */ if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")) { while ($ssl_err = openssl_error_string()) { diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php index c19b2f8..5b3972c 100644 --- a/src/usr/local/www/system_certmanager.php +++ b/src/usr/local/www/system_certmanager.php @@ -426,12 +426,20 @@ if ($_POST) { if (!empty($pconfig['dn_organizationalunit'])) { $dn['organizationalUnitName'] = $pconfig['dn_organizationalunit']; } + if (is_ipaddr($pconfig['dn_commonname'])) { + $altnames_tmp = array("IP:{$pconfig['dn_commonname']}"); + } else { + $altnames_tmp = array("DNS:{$pconfig['dn_commonname']}"); + } if (count($altnames)) { - $altnames_tmp = ""; foreach ($altnames as $altname) { - $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + // The CN is added as a SAN automatically, do not add it again. + if ($altname['value'] != $pconfig['dn_commonname']) { + $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + } } - + } + if (!empty($altnames_tmp)) { $dn['subjectAltName'] = implode(",", $altnames_tmp); } @@ -797,6 +805,8 @@ if ($act == "new" || (($_POST['save'] == gettext("Save")) && $input_errors)) { $group->addClass('repeatable'); + $group->setHelp('Enter additional identifiers for the certificate in this list. The Common Name field is automatically added to the certificate as an Alternative Name.'); + $section->add($group); $counter++; |
