Project

General

Profile

Actions

Bug #3733

closed

Certificate manager doesn't allow wildcards in Subject Alternative Names

Added by Johan Braeken about 7 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
Start date:
07/03/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

Hi there,

Having a wildcard certificate in the DNS Subject Alternative Name is valid, but the pfSense webinterface doesn't allow this.
Instead, it displays an error message:

The following input errors were detected:

DNS subjectAltName values must be valid hostnames or FQDNs

Would it be possible to change the error checking of the webinterface so wildcard DNS names are allowed in the "DNS subjectAltName"-field?


Files

Actions #1

Updated by Daniel Schultheis over 6 years ago

You can achive this behaviour by modifying the file /etc/inc/util.inc

The problem lies within the is_domain() method which checks if the entered domain is indeed a valid domain string. Search for this method inside /etc/inc/util.inc and replace this line

if (preg_match('/^(?:(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))

with the following

if (preg_match('/^(?:(?:[a-z_0-9\*]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))

This will allow a wildcard (*) as the first character allowing you to define wildcard domains in the SAN fields.

I hope this will make it inside the public release at some point.

Actions #2

Updated by Jim Pingle over 6 years ago

That change is unlikely to make it in unless it's in a separate function or a separate option to the function to activate the behavior. Allowing wildcards in that function unconditionally would allow them in other places where they are not functional (e.g. aliases, hostname fields for things like VPN peer addresses, etc).

Actions #3

Updated by Daniel Schultheis over 6 years ago

I've created a patch which now wraps this whole behaviour in a seperate function call.

In /usr/local/www/system_certmanager.php a new function is_wildcard_hostname() is called. This function is a copy of is_hostname() in /etc/inc/util.inc which in return will call a new function is_wildcard_domain() which checks the hostname against the modified regular expression.

Actions #4

Updated by Daniel Schultheis over 6 years ago

I've just optimized the patch a bit to revert back to the original functions which now have an additional $allow_wildcard parameter which defaults to false if not set.

Actions #5

Updated by Daniel Schultheis over 6 years ago

I made a silly mistake which is now fixed. Here is an updated patch.

Actions #6

Updated by Phillip Davis over 6 years ago

It will be easy if you submit a pull request at https://github.com/pfsense/pfsense
Then the devs can easily review, comment and commit...

Actions #7

Updated by Daniel Schultheis over 6 years ago

I've created the pull request @ https://github.com/pfsense/pfsense/pull/1713

Actions #8

Updated by Chris Buechler about 6 years ago

  • Status changed from New to Confirmed
  • Priority changed from Low to Normal
  • Target version set to 2.3
  • Affected Version set to All

Thanks Daniel. Merge request won't cleanly merge anymore, added a note there. If you can get an ICLA on file and submit an updated pull request we'll get that in for 2.3.

Actions #9

Updated by Daniel Schultheis about 6 years ago

I've now registered for the ICLA (Username: dachande) and just created a new pull request @ https://github.com/pfsense/pfsense/pull/1902

Actions #10

Updated by Renato Botelho almost 6 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Pull request has been merged

Actions #11

Updated by Jim Pingle almost 6 years ago

  • Status changed from Feedback to Resolved

Works. I can make an FQDN SAN and it ends up in the cert

            X509v3 Subject Alternative Name: 
                DNS:*.dw.example.com
Actions

Also available in: Atom PDF