In ssl_check_public_cert(), also take dNSNames in the subjectAltName

extension into account when checking the cert against the configured
ServerName. PR 32652, PR 47051.

Replace SSL_X509_getCN() by SSL_X509_getIDs(), which returns an array
of a cert's DNS-IDs and CN-IDs (terms as coined by RFC 6125).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1176752 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/ssl_engine_init.c

@@ -985,7 +985,7 @@ static void ssl_check_public_cert(server_rec *s,
                                   int type)
 {
     int is_ca, pathlen;
-    char *cn;
+    apr_array_header_t *ids;
 
     if (!cert) {
         return;
@@ -1018,23 +1018,55 @@ static void ssl_check_public_cert(server_rec *s,
         }
     }
 
-    if (SSL_X509_getCN(ptemp, cert, &cn)) {
-        int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND;
+    /*
+     * Check if the server name is covered by the certificate.
+     * Consider both dNSName entries in the subjectAltName extension
+     * and, as a fallback, commonName attributes in the subject DN.
+     * (DNS-IDs and CN-IDs as defined in RFC 6125).
+     */
+    if (SSL_X509_getIDs(ptemp, cert, &ids)) {
+        char *cp;
+        int i;
+        char **id = (char **)ids->elts;
+        BOOL is_wildcard, matched = FALSE;
 
-        if (apr_fnmatch_test(cn)) {
-            if (apr_fnmatch(cn, s->server_hostname,
-                            fnm_flags) == APR_FNM_NOMATCH) {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-                             "%s server certificate wildcard CommonName "
-                             "(CN) `%s' does NOT match server name!?",
-                             ssl_asn1_keystr(type), cn);
+        for (i = 0; i < ids->nelts; i++) {
+            if (!id[i])
+                continue;
+
+            /*
+             * Determine if it is a wildcard ID - we're restrictive
+             * in the sense that we require the wildcard character to be
+             * THE left-most label (i.e., the ID must start with "*.")
+             */
+            is_wildcard = (*id[i] == '*' && *(id[i]+1) == '.') ? TRUE : FALSE;
+
+            /*
+             * If the ID includes a wildcard character, check if it matches
+             * for the left-most DNS label (i.e., the wildcard character
+             * is not allowed to match a dot). Otherwise, try a simple
+             * string compare, case insensitively.
+             */
+            if ((is_wildcard == TRUE &&
+                 (cp = strchr(s->server_hostname, '.')) &&
+                 !strcasecmp(id[i]+1, cp)) ||
+                !strcasecmp(id[i], s->server_hostname)) {
+                matched = TRUE;
+                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                             "%sID '%s' in %s certificate configured "
+                             "for %s matches server name",
+                             is_wildcard ? "Wildcard " : "",
+                             id[i], ssl_asn1_keystr(type),
+                             (mySrvConfig(s))->vhost_id);
+                break;
             }
         }
-        else if (strNE(s->server_hostname, cn)) {
+
+        if (matched == FALSE) {
             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-                         "%s server certificate CommonName (CN) `%s' "
-                         "does NOT match server name!?",
-                         ssl_asn1_keystr(type), cn);
+                         "%s certificate configured for %s does NOT include "
+                         "an ID which matches the server name",
+                         ssl_asn1_keystr(type), (mySrvConfig(s))->vhost_id);
         }
     }
 }