Bug #3733
closedCertificate manager doesn't allow wildcards in Subject Alternative Names
100%
Description
Hi there,
Having a wildcard certificate in the DNS Subject Alternative Name is valid, but the pfSense webinterface doesn't allow this.
Instead, it displays an error message:
The following input errors were detected:
DNS subjectAltName values must be valid hostnames or FQDNs
Would it be possible to change the error checking of the webinterface so wildcard DNS names are allowed in the "DNS subjectAltName"-field?
Files
Updated by Daniel Schultheis over 9 years ago
You can achive this behaviour by modifying the file /etc/inc/util.inc
The problem lies within the is_domain() method which checks if the entered domain is indeed a valid domain string. Search for this method inside /etc/inc/util.inc and replace this line
if (preg_match('/^(?:(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))
with the following
if (preg_match('/^(?:(?:[a-z_0-9\*]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))
This will allow a wildcard (*) as the first character allowing you to define wildcard domains in the SAN fields.
I hope this will make it inside the public release at some point.
Updated by Jim Pingle over 9 years ago
That change is unlikely to make it in unless it's in a separate function or a separate option to the function to activate the behavior. Allowing wildcards in that function unconditionally would allow them in other places where they are not functional (e.g. aliases, hostname fields for things like VPN peer addresses, etc).
Updated by Daniel Schultheis over 9 years ago
I've created a patch which now wraps this whole behaviour in a seperate function call.
In /usr/local/www/system_certmanager.php a new function is_wildcard_hostname() is called. This function is a copy of is_hostname() in /etc/inc/util.inc which in return will call a new function is_wildcard_domain() which checks the hostname against the modified regular expression.
Updated by Daniel Schultheis over 9 years ago
I've just optimized the patch a bit to revert back to the original functions which now have an additional $allow_wildcard parameter which defaults to false if not set.
Updated by Daniel Schultheis over 9 years ago
I made a silly mistake which is now fixed. Here is an updated patch.
Updated by Phillip Davis over 9 years ago
It will be easy if you submit a pull request at https://github.com/pfsense/pfsense
Then the devs can easily review, comment and commit...
Updated by Daniel Schultheis over 9 years ago
I've created the pull request @ https://github.com/pfsense/pfsense/pull/1713
Updated by Chris Buechler over 9 years ago
- Status changed from New to Confirmed
- Priority changed from Low to Normal
- Target version set to 2.3
- Affected Version set to All
Thanks Daniel. Merge request won't cleanly merge anymore, added a note there. If you can get an ICLA on file and submit an updated pull request we'll get that in for 2.3.
Updated by Daniel Schultheis over 9 years ago
I've now registered for the ICLA (Username: dachande) and just created a new pull request @ https://github.com/pfsense/pfsense/pull/1902
Updated by Renato Botelho over 9 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Pull request has been merged
Updated by Jim Pingle about 9 years ago
- Status changed from Feedback to Resolved
Works. I can make an FQDN SAN and it ends up in the cert
X509v3 Subject Alternative Name: DNS:*.dw.example.com