Project

General

Profile

Bug #3733

Certificate manager doesn't allow wildcards in Subject Alternative Names

Added by Johan Braeken about 5 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
Start date:
07/03/2014
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

Hi there,

Having a wildcard certificate in the DNS Subject Alternative Name is valid, but the pfSense webinterface doesn't allow this.
Instead, it displays an error message:

The following input errors were detected:

DNS subjectAltName values must be valid hostnames or FQDNs

Would it be possible to change the error checking of the webinterface so wildcard DNS names are allowed in the "DNS subjectAltName"-field?

History

#1 Updated by Daniel Schultheis about 4 years ago

You can achive this behaviour by modifying the file /etc/inc/util.inc

The problem lies within the is_domain() method which checks if the entered domain is indeed a valid domain string. Search for this method inside /etc/inc/util.inc and replace this line

if (preg_match('/^(?:(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))

with the following

if (preg_match('/^(?:(?:[a-z_0-9\*]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))

This will allow a wildcard (*) as the first character allowing you to define wildcard domains in the SAN fields.

I hope this will make it inside the public release at some point.

#2 Updated by Jim Pingle about 4 years ago

That change is unlikely to make it in unless it's in a separate function or a separate option to the function to activate the behavior. Allowing wildcards in that function unconditionally would allow them in other places where they are not functional (e.g. aliases, hostname fields for things like VPN peer addresses, etc).

#3 Updated by Daniel Schultheis about 4 years ago

I've created a patch which now wraps this whole behaviour in a seperate function call.

In /usr/local/www/system_certmanager.php a new function is_wildcard_hostname() is called. This function is a copy of is_hostname() in /etc/inc/util.inc which in return will call a new function is_wildcard_domain() which checks the hostname against the modified regular expression.

#4 Updated by Daniel Schultheis about 4 years ago

I've just optimized the patch a bit to revert back to the original functions which now have an additional $allow_wildcard parameter which defaults to false if not set.

#5 Updated by Daniel Schultheis about 4 years ago

I made a silly mistake which is now fixed. Here is an updated patch.

#6 Updated by Phillip Davis about 4 years ago

It will be easy if you submit a pull request at https://github.com/pfsense/pfsense
Then the devs can easily review, comment and commit...

#7 Updated by Daniel Schultheis about 4 years ago

I've created the pull request @ https://github.com/pfsense/pfsense/pull/1713

#8 Updated by Chris Buechler almost 4 years ago

  • Status changed from New to Confirmed
  • Priority changed from Low to Normal
  • Target version set to 2.3
  • Affected Version set to All

Thanks Daniel. Merge request won't cleanly merge anymore, added a note there. If you can get an ICLA on file and submit an updated pull request we'll get that in for 2.3.

#9 Updated by Daniel Schultheis almost 4 years ago

I've now registered for the ICLA (Username: dachande) and just created a new pull request @ https://github.com/pfsense/pfsense/pull/1902

#10 Updated by Renato Botelho almost 4 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Pull request has been merged

#11 Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved

Works. I can make an FQDN SAN and it ends up in the cert

            X509v3 Subject Alternative Name: 
                DNS:*.dw.example.com

Also available in: Atom PDF