Revision 644a5333
Added by Jim Pingle over 4 years ago
| src/etc/inc/certs.inc | ||
|---|---|---|
| 1631 | 1631 |
|
| 1632 | 1632 |
/* Convert the internal certificate type to an openssl.cnf section name */ |
| 1633 | 1633 |
$cert_type = cert_type_config_section($cert['type']); |
| 1634 |
if ($cert['type'] != 'ca') {
|
|
| 1635 |
$cert_type .= '_san'; |
|
| 1636 |
} |
|
| 1637 | 1634 |
|
| 1638 | 1635 |
/* Reuse lifetime (convert seconds to days) */ |
| 1639 | 1636 |
$lifetime = (int) round(($cert_details['validTo_time_t'] - $cert_details['validFrom_time_t']) / 86400); |
| ... | ... | |
| 1650 | 1647 |
$sans = cert_add_altname_type($dn['commonName']); |
| 1651 | 1648 |
} |
| 1652 | 1649 |
|
| 1653 |
/* subjectAltName can be set _only_ via configuration file, so put the |
|
| 1654 |
* value into the environment where it will be read from the configuration */ |
|
| 1655 |
putenv("SAN={$sans}");
|
|
| 1650 |
/* Do not setup SANs if the SAN list is empty (e.g. no SAN list and/or |
|
| 1651 |
* CN cannot be mapped to a valid SAN type) */ |
|
| 1652 |
if (!empty($sans)) {
|
|
| 1653 |
if ($cert['type'] != 'ca') {
|
|
| 1654 |
$cert_type .= '_san'; |
|
| 1655 |
} |
|
| 1656 |
/* subjectAltName can be set _only_ via configuration file, so put the |
|
| 1657 |
* value into the environment where it will be read from the configuration */ |
|
| 1658 |
putenv("SAN={$sans}");
|
|
| 1659 |
} |
|
| 1656 | 1660 |
|
| 1657 | 1661 |
/* If we are enforcing strict security, then check the digest against a |
| 1658 | 1662 |
* blacklist of insecure digest methods. */ |
Also available in: Unified diff
Fix handling of renewing cert w/o SAN. Fixes #11652
(cherry picked from commit 09d3fe621a56292817a85a54916e8b99e2b26c00)