diff options
author | jim-p <jimp@pfsense.org> | 2017-04-26 09:48:26 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2017-04-26 09:48:26 -0400 |
commit | a636256cf9a7e27cf5d26c7677d0b7961e0fb143 (patch) | |
tree | 9e1a180633edea77b6a0c9064313aeccc304c59a /src | |
parent | e0b87e1a3809834186c4a596a1459f3f4827c120 (diff) | |
download | pfsense-a636256cf9a7e27cf5d26c7677d0b7961e0fb143.zip pfsense-a636256cf9a7e27cf5d26c7677d0b7961e0fb143.tar.gz |
Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496
Diffstat (limited to 'src')
-rw-r--r-- | src/etc/inc/system.inc | 4 | ||||
-rw-r--r-- | src/usr/local/www/system_certmanager.php | 16 |
2 files changed, 16 insertions, 4 deletions
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index b14e625..fb6e61a 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1237,6 +1237,7 @@ function system_webgui_create_certificate() { $cert = array(); $cert['refid'] = uniqid(); $cert['descr'] = sprintf(gettext("webConfigurator default (%s)"), $cert['refid']); + $cert_hostname = "{$config['system']['hostname']}-{$cert['refid']}"; $dn = array( 'countryName' => "US", @@ -1244,7 +1245,8 @@ function system_webgui_create_certificate() { 'localityName' => "Locality", 'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate", 'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}", - 'commonName' => "{$config['system']['hostname']}-{$cert['refid']}"); + 'commonName' => $cert_hostname, + 'subjectAltName' => "DNS:{$cert_hostname}"); $old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */ if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")) { while ($ssl_err = openssl_error_string()) { diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php index 74c55c2..04c41ab 100644 --- a/src/usr/local/www/system_certmanager.php +++ b/src/usr/local/www/system_certmanager.php @@ -451,12 +451,20 @@ if ($_POST['save']) { if (!empty($pconfig['dn_organizationalunit'])) { $dn['organizationalUnitName'] = $pconfig['dn_organizationalunit']; } + if (is_ipaddr($pconfig['dn_commonname'])) { + $altnames_tmp = array("IP:{$pconfig['dn_commonname']}"); + } else { + $altnames_tmp = array("DNS:{$pconfig['dn_commonname']}"); + } if (count($altnames)) { - $altnames_tmp = ""; foreach ($altnames as $altname) { - $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + // The CN is added as a SAN automatically, do not add it again. + if ($altname['value'] != $pconfig['dn_commonname']) { + $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + } } - + } + if (!empty($altnames_tmp)) { $dn['subjectAltName'] = implode(",", $altnames_tmp); } @@ -889,6 +897,8 @@ if ($act == "new" || (($_POST['save'] == gettext("Save")) && $input_errors)) { $group->addClass('repeatable'); + $group->setHelp('Enter additional identifiers for the certificate in this list. The Common Name field is automatically added to the certificate as an Alternative Name.'); + $section->add($group); $counter++; |