mod_ssl: add support for subjectAltName-based host name checking in proxy mode

(PR 54030) factor out code from ssl_engine_init.c:ssl_check_public_cert() to ssl_util_ssl.c:SSL_X509_match_name() introduce new SSLProxyCheckPeerName directive, which should eventually obsolete SSLProxyCheckPeerCN ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication when aborting with HTTP_BAD_GATEWAY git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1425874 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2012-12-26 10:54:54 +00:00
parent 7e374279b5
commit 50eb694c34
10 changed files with 172 additions and 70 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1154,7 +1154,6 @@ static void ssl_check_public_cert(server_rec *s,
                                  int type)
 {
    int is_ca, pathlen;
-    apr_array_header_t *ids;

    if (!cert) {
        return;
@@ -1187,56 +1186,12 @@ static void ssl_check_public_cert(server_rec *s,
        }
    }

-    /*
-     * Check if the server name is covered by the certificate.
-     * Consider both dNSName entries in the subjectAltName extension
-     * and, as a fallback, commonName attributes in the subject DN.
-     * (DNS-IDs and CN-IDs as defined in RFC 6125).
-     */
-    if (SSL_X509_getIDs(ptemp, cert, &ids)) {
-        char *cp;
-        int i;
-        char **id = (char **)ids->elts;
-        BOOL is_wildcard, matched = FALSE;
-
-        for (i = 0; i < ids->nelts; i++) {
-            if (!id[i])
-                continue;
-
-            /*
-             * Determine if it is a wildcard ID - we're restrictive
-             * in the sense that we require the wildcard character to be
-             * THE left-most label (i.e., the ID must start with "*.")
-             */
-            is_wildcard = (*id[i] == '*' && *(id[i]+1) == '.') ? TRUE : FALSE;
-
-            /*
-             * If the ID includes a wildcard character, check if it matches
-             * for the left-most DNS label (i.e., the wildcard character
-             * is not allowed to match a dot). Otherwise, try a simple
-             * string compare, case insensitively.
-             */
-            if ((is_wildcard == TRUE &&
-                 (cp = strchr(s->server_hostname, '.')) &&
-                 !strcasecmp(id[i]+1, cp)) ||
-                !strcasecmp(id[i], s->server_hostname)) {
-                matched = TRUE;
-                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01908)
-                             "%sID '%s' in %s certificate configured "
-                             "for %s matches server name",
-                             is_wildcard ? "Wildcard " : "",
-                             id[i], ssl_asn1_keystr(type),
-                             (mySrvConfig(s))->vhost_id);
-                break;
-            }
-        }
-
-        if (matched == FALSE) {
-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01909)
-                         "%s certificate configured for %s does NOT include "
-                         "an ID which matches the server name",
-                         ssl_asn1_keystr(type), (mySrvConfig(s))->vhost_id);
-        }
+    if (SSL_X509_match_name(ptemp, cert, (const char *)s->server_hostname,
+                            TRUE, s) == FALSE) {
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(01909)
+                     "%s certificate configured for %s does NOT include "
+                     "an ID which matches the server name",
+                     ssl_asn1_keystr(type), (mySrvConfig(s))->vhost_id);
    }
 }