Project

General

Profile

« Previous | Next » 

Revision cad0d5bc

Added by Jim Pingle over 8 years ago

Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496

View differences:

src/etc/inc/system.inc
1281 1281 
	$cert = array();
1282 1282 
	$cert['refid'] = uniqid();
1283 1283 
	$cert['descr'] = sprintf(gettext("webConfigurator default (%s)"), $cert['refid']);
1284 
	$cert_hostname = "{$config['system']['hostname']}-{$cert['refid']}";
1284 1285 

  		




  1285
  1286
  
    
	$dn = array(


  		




  1286
  1287
  
    
		'countryName' => "US",


  		




  ......




  1288
  1289
  
    
		'localityName' => "Locality",


  		




  1289
  1290
  
    
		'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate",


  		




  1290
  1291
  
    
		'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}",


  		




  1291
  
  
    
		'commonName' => "{$config['system']['hostname']}-{$cert['refid']}");


  		




  
  1292
  
    
		'commonName' => $cert_hostname,


  		




  
  1293
  
    
		'subjectAltName' => "DNS:{$cert_hostname}");


  		




  1292
  1294
  
    
	$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warnings directly to a page screwing menu tab */


  		




  1293
  1295
  
    
	if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")) {


  		




  1294
  1296
  
    
		while ($ssl_err = openssl_error_string()) {


  		












  

    
      src/usr/local/www/system_certmanager.php
    
  





  426
  426
  
    
					if (!empty($pconfig['dn_organizationalunit'])) {


  		




  427
  427
  
    
						$dn['organizationalUnitName'] = $pconfig['dn_organizationalunit'];


  		




  428
  428
  
    
					}


  		




  
  429
  
    
					if (is_ipaddr($pconfig['dn_commonname'])) {


  		




  
  430
  
    
						$altnames_tmp = array("IP:{$pconfig['dn_commonname']}");


  		




  
  431
  
    
					} else {


  		




  
  432
  
    
						$altnames_tmp = array("DNS:{$pconfig['dn_commonname']}");


  		




  
  433
  
    
					}


  		




  429
  434
  
    
					if (count($altnames)) {


  		




  430
  
  
    
						$altnames_tmp = "";


  		




  431
  435
  
    
						foreach ($altnames as $altname) {


  		




  432
  
  
    
							$altnames_tmp[] = "{$altname['type']}:{$altname['value']}";


  		




  
  436
  
    
							// The CN is added as a SAN automatically, do not add it again.


  		




  
  437
  
    
							if ($altname['value'] != $pconfig['dn_commonname']) {


  		




  
  438
  
    
								$altnames_tmp[] = "{$altname['type']}:{$altname['value']}";


  		




  
  439
  
    
							}


  		




  433
  440
  
    
						}


  		




  434
  
  
    

  		




  
  441
  
    
					}


  		




  
  442
  
    
					if (!empty($altnames_tmp)) {


  		




  435
  443
  
    
						$dn['subjectAltName'] = implode(",", $altnames_tmp);


  		




  436
  444
  
    
					}


  		




  437
  445
  
    

  		




  ......




  797
  805
  
    

  		




  798
  806
  
    
		$group->addClass('repeatable');


  		




  799
  807
  
    

  		




  
  808
  
    
		$group->setHelp('Enter additional identifiers for the certificate in this list. The Common Name field is automatically added to the certificate as an Alternative Name.');


  		




  
  809
  
    

  		




  800
  810
  
    
		$section->add($group);


  		




  801
  811
  
    

  		




  802
  812
  
    
		$counter++;


  		












Also available in:  Unified diff