OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=2

mod_nss-compare_subject_CN_and_VS_hostname.patch

@@ -0,0 +1,42 @@
+From c027af16af4975bbb0aa7bc509ea059944028481 Mon Sep 17 00:00:00 2001
+From: standa <stokos@suse.de>
+Date: Wed, 22 Oct 2014 16:14:29 +0200
+Subject: [PATCH] Compare subject CN and VS hostname during server start up
+
+---
+ nss_engine_init.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/nss_engine_init.c b/nss_engine_init.c
+index d74f002..2569c8d 100644
+--- a/nss_engine_init.c
++++ b/nss_engine_init.c
+@@ -1179,12 +1179,20 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
+ 
+     *KEAtype = NSS_FindCertKEAType(*servercert);
+ 
++    /* Subject/hostname check */
++    secstatus = CERT_VerifyCertName(*servercert, s->server_hostname);
++    if (secstatus != SECSuccess) {
++      char *cert_dns = CERT_GetCommonName(&(*servercert)->subject);
++      ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
++		       "Misconfiguration of certificate's CN and virtual name."
++		       " The certificate CN has %s. We expected %s as virtual"
++                       " name.", cert_dns, s->server_hostname);
++      PORT_Free(cert_dns);
++    }
++
+     /*
+-     * Check for certs that are expired or not yet valid and WARN about it
+-     * no need to refuse working - the client gets a warning, but can work
+-     * with the server we could also verify if the certificate is made out
+-     * for the correct hostname but that would require a reverse DNS lookup
+-     * for every virtual server - too expensive?
++     * Check for certs that are expired or not yet valid and WARN about it.
++     * No need to refuse working - the client gets a warning.
+      */
+ 
+     certtimestatus = CERT_CheckCertValidTimes(*servercert, PR_Now(), PR_FALSE);
+-- 
+1.9.3
+