From c1a42e25a35b16821eaf88418c449741d1638c00 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 26 Apr 2017 09:48:26 -0400 Subject: Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496 --- src/etc/inc/system.inc | 4 +++- src/usr/local/www/system_certmanager.php | 16 +++++++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 3238016..a09ff9b 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1278,6 +1278,7 @@ function system_webgui_create_certificate() { $cert = array(); $cert['refid'] = uniqid(); $cert['descr'] = sprintf(gettext("webConfigurator default (%s)"), $cert['refid']); + $cert_hostname = "{$config['system']['hostname']}-{$cert['refid']}"; $dn = array( 'countryName' => "US", @@ -1285,7 +1286,8 @@ function system_webgui_create_certificate() { 'localityName' => "Locality", 'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate", 'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}", - 'commonName' => "{$config['system']['hostname']}-{$cert['refid']}"); + 'commonName' => $cert_hostname, + 'subjectAltName' => "DNS:{$cert_hostname}"); $old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */ if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")) { while ($ssl_err = openssl_error_string()) { diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php index 538d7c0..0ead77e 100644 --- a/src/usr/local/www/system_certmanager.php +++ b/src/usr/local/www/system_certmanager.php @@ -426,12 +426,20 @@ if ($_POST) { if (!empty($pconfig['dn_organizationalunit'])) { $dn['organizationalUnitName'] = $pconfig['dn_organizationalunit']; } + if (is_ipaddr($pconfig['dn_commonname'])) { + $altnames_tmp = array("IP:{$pconfig['dn_commonname']}"); + } else { + $altnames_tmp = array("DNS:{$pconfig['dn_commonname']}"); + } if (count($altnames)) { - $altnames_tmp = ""; foreach ($altnames as $altname) { - $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + // The CN is added as a SAN automatically, do not add it again. + if ($altname['value'] != $pconfig['dn_commonname']) { + $altnames_tmp[] = "{$altname['type']}:{$altname['value']}"; + } } - + } + if (!empty($altnames_tmp)) { $dn['subjectAltName'] = implode(",", $altnames_tmp); } @@ -795,6 +803,8 @@ if ($act == "new" || (($_POST['save'] == gettext("Save")) && $input_errors)) { $group->addClass('repeatable'); + $group->setHelp('Enter additional identifiers for the certificate in this list. The Common Name field is automatically added to the certificate as an Alternative Name.'); + $section->add($group); $counter++; -- cgit v1.1