Skip site navigation (1)Skip section navigation (2)
Date:      Thu,  1 Feb 2007 15:35:23 +0100 (CET)
From:      Johan van Selst <johans@stack.nl>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        jharris@widomaker.com, ache@FreeBSD.org
Subject:   ports/108661: [patch] www/lynx-current: add support for SSL SubjectAltNames
Message-ID:  <20070201143523.E9ACD423E@toad.stack.nl>
Resent-Message-ID: <200702011440.l11EePf8099075@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         108661
>Category:       ports
>Synopsis:       [patch] www/lynx-current: add support for SSL SubjectAltNames
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 01 14:40:25 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Johan van Selst
>Release:        FreeBSD 6.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD toad.stack.nl 6.2-STABLE FreeBSD 6.2-STABLE #1: Mon Jan 29 16:35:42 CET 2007 dean@toad.stack.nl:/sabretooth.mnt/sources/6.x/amd64/obj/sabretooth.mnt/sources/6.x/src/sys/STACK-SMP64 amd64


	
>Description:
	
	Both lynx and lynx-current currently don't understand SSL certificates
	that mention multiple hostnames using the SubjectAltName method.
	The attached patch against lynx-current fixes this, according to
	the practice documented in RFC2818.
	It will probably apply to www/lynx as well with minimal effort.

	Cc: maintainers of both ports
>How-To-Repeat:
	
>Fix:

	

	Please add the following two patches as
	 files/patch-WWW_Library_Implementation_HTTP.c
	and
	 files/patch-WWW_Library_Implementation_HTUtils.h


--- WWW/Library/Implementation/HTTP.c.orig	Wed Jan 31 17:20:44 2007
+++ WWW/Library/Implementation/HTTP.c	Wed Jan 31 17:20:39 2007
@@ -725,6 +725,36 @@ static int HTLoadHTTP(const char *arg,
 	/* strip port number */
 	if ((p = strchr(ssl_host, ':')) != NULL)
 	    *p = '\0';
+
+	/* Quick and dirty SubjectAltName patch -johans 20070131*/
+	{
+	X509 *cert = SSL_get_peer_certificate(handle);
+	int opt = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
+	if (opt >= 0)
+	{
+		X509_EXTENSION *ext = X509_get_ext(cert, i);
+		STACK_OF(GENERAL_NAME) *alt = X509V3_EXT_d2i(ext);
+		if (alt)
+		{
+			int i, n = sk_GENERAL_NAME_num(alt);
+			GENERAL_NAME *gn;
+			for (i = 0; i < n; i++)
+			{
+				gn = sk_GENERAL_NAME_value(alt, i);
+				if (gn->type == GEN_DNS)
+				{
+					char *sn = ASN1_STRING_data(gn->d.ia5);
+					if (!strcasecmp_asterisk(ssl_host, sn))
+						status_sslcertcheck = 2;
+				}
+
+			}
+		}
+
+	}
+	}
+	if (!status_sslcertcheck)
+
 	/* validate all CNs found in DN */
 	while ((cert_host = strstr(ssl_dn_start, "/CN=")) != NULL) {
 	    status_sslcertcheck = 1;	/* 1 = could not verify CN */









--- WWW/Library/Implementation/HTUtils.h.orig	Wed Jan 31 17:20:52 2007
+++ WWW/Library/Implementation/HTUtils.h	Wed Jan 31 17:16:37 2007
@@ -598,6 +598,7 @@ extern int WWW_TraceMask;
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
+#include <openssl/x509v3.h>
 
 #else
 
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070201143523.E9ACD423E>