diff --git a/mod_nss-compare_subject_CN_and_VS_hostname.patch b/mod_nss-compare_subject_CN_and_VS_hostname.patch new file mode 100644 index 0000000..4bfb530 --- /dev/null +++ b/mod_nss-compare_subject_CN_and_VS_hostname.patch @@ -0,0 +1,42 @@ +From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001 +From: standa +Date: Wed, 22 Oct 2014 16:14:29 +0200 +Subject: [PATCH] Compare subject CN and VS hostname during server start up + +--- + nss_engine_init.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/nss_engine_init.c b/nss_engine_init.c +index d74f002..2569c8d 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname, + + *KEAtype = NSS_FindCertKEAType(*servercert); + ++ /* Subject/hostname check */ ++ secstatus = CERT_VerifyCertName(*servercert, s->server_hostname); ++ if (secstatus != SECSuccess) { ++ char *cert_dns = CERT_GetCommonName(&(*servercert)->subject); ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Misconfiguration of certificate's CN and virtual name." ++ " The certificate CN has %s. We expected %s as virtual" ++ " name.", cert_dns, s->server_hostname); ++ PORT_Free(cert_dns); ++ } ++ + /* +- * Check for certs that are expired or not yet valid and WARN about it +- * no need to refuse working - the client gets a warning, but can work +- * with the server we could also verify if the certificate is made out +- * for the correct hostname but that would require a reverse DNS lookup +- * for every virtual server - too expensive? ++ * Check for certs that are expired or not yet valid and WARN about it. ++ * No need to refuse working - the client gets a warning. + */ + + certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE); +-- +1.9.3 +