Date: Thu, 1 Feb 2007 15:35:23 +0100 (CET) From: Johan van Selst <johans@stack.nl> To: FreeBSD-gnats-submit@FreeBSD.org Cc: jharris@widomaker.com, ache@FreeBSD.org Subject: ports/108661: [patch] www/lynx-current: add support for SSL SubjectAltNames Message-ID: <20070201143523.E9ACD423E@toad.stack.nl> Resent-Message-ID: <200702011440.l11EePf8099075@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 108661 >Category: ports >Synopsis: [patch] www/lynx-current: add support for SSL SubjectAltNames >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Feb 01 14:40:25 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Johan van Selst >Release: FreeBSD 6.2-STABLE amd64 >Organization: >Environment: System: FreeBSD toad.stack.nl 6.2-STABLE FreeBSD 6.2-STABLE #1: Mon Jan 29 16:35:42 CET 2007 dean@toad.stack.nl:/sabretooth.mnt/sources/6.x/amd64/obj/sabretooth.mnt/sources/6.x/src/sys/STACK-SMP64 amd64 >Description: Both lynx and lynx-current currently don't understand SSL certificates that mention multiple hostnames using the SubjectAltName method. The attached patch against lynx-current fixes this, according to the practice documented in RFC2818. It will probably apply to www/lynx as well with minimal effort. Cc: maintainers of both ports >How-To-Repeat: >Fix: Please add the following two patches as files/patch-WWW_Library_Implementation_HTTP.c and files/patch-WWW_Library_Implementation_HTUtils.h --- WWW/Library/Implementation/HTTP.c.orig Wed Jan 31 17:20:44 2007 +++ WWW/Library/Implementation/HTTP.c Wed Jan 31 17:20:39 2007 @@ -725,6 +725,36 @@ static int HTLoadHTTP(const char *arg, /* strip port number */ if ((p = strchr(ssl_host, ':')) != NULL) *p = '\0'; + + /* Quick and dirty SubjectAltName patch -johans 20070131*/ + { + X509 *cert = SSL_get_peer_certificate(handle); + int opt = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); + if (opt >= 0) + { + X509_EXTENSION *ext = X509_get_ext(cert, i); + STACK_OF(GENERAL_NAME) *alt = X509V3_EXT_d2i(ext); + if (alt) + { + int i, n = sk_GENERAL_NAME_num(alt); + GENERAL_NAME *gn; + for (i = 0; i < n; i++) + { + gn = sk_GENERAL_NAME_value(alt, i); + if (gn->type == GEN_DNS) + { + char *sn = ASN1_STRING_data(gn->d.ia5); + if (!strcasecmp_asterisk(ssl_host, sn)) + status_sslcertcheck = 2; + } + + } + } + + } + } + if (!status_sslcertcheck) + /* validate all CNs found in DN */ while ((cert_host = strstr(ssl_dn_start, "/CN=")) != NULL) { status_sslcertcheck = 1; /* 1 = could not verify CN */ --- WWW/Library/Implementation/HTUtils.h.orig Wed Jan 31 17:20:52 2007 +++ WWW/Library/Implementation/HTUtils.h Wed Jan 31 17:16:37 2007 @@ -598,6 +598,7 @@ extern int WWW_TraceMask; #include <openssl/crypto.h> #include <openssl/rand.h> #include <openssl/err.h> +#include <openssl/x509v3.h> #else >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070201143523.E9ACD423E>