Kristyna Streitova 2014-11-04 10:06:28 +00:00 committed by Git OBS Bridge
parent ac78b1824b
commit 9a60ccd314

View File

@ -0,0 +1,42 @@
From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001
From: standa <stokos@suse.de>
Date: Wed, 22 Oct 2014 16:14:29 +0200
Subject: [PATCH] Compare subject CN and VS hostname during server start up
---
nss_engine_init.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index d74f002..2569c8d 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
*KEAtype = NSS_FindCertKEAType(*servercert);
+ /* Subject/hostname check */
+ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname);
+ if (secstatus != SECSuccess) {
+ char *cert_dns = CERT_GetCommonName(&(*servercert)->subject);
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Misconfiguration of certificate's CN and virtual name."
+ " The certificate CN has %s. We expected %s as virtual"
+ " name.", cert_dns, s->server_hostname);
+ PORT_Free(cert_dns);
+ }
+
/*
- * Check for certs that are expired or not yet valid and WARN about it
- * no need to refuse working - the client gets a warning, but can work
- * with the server we could also verify if the certificate is made out
- * for the correct hostname but that would require a reverse DNS lookup
- * for every virtual server - too expensive?
+ * Check for certs that are expired or not yet valid and WARN about it.
+ * No need to refuse working - the client gets a warning.
*/
certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE);
--
1.9.3