This commit fixes #981 by using a while loop instead of a for loop to check each DNS name in the SAN extension, copying the syntax used in certificate_info() to display all of the SANs.
This commit is contained in:
David Cooper 2018-02-06 14:05:27 -05:00 committed by David Cooper
parent 364011b6ca
commit 39990f5ace

View File

@ -6235,26 +6235,27 @@ compare_server_name_to_cert()
# Check whether any of the DNS names in the certificate match the servername # Check whether any of the DNS names in the certificate match the servername
dns_sans="$(get_san_dns_from_cert "$cert")" dns_sans="$(get_san_dns_from_cert "$cert")"
for san in $dns_sans; do while read san; do
[[ $(toupper "$san") == "$servername" ]] && ret=1 && break [[ -n "$san" ]] && [[ $(toupper "$san") == "$servername" ]] && ret=1 && break
done done <<< "$dns_sans"
if [[ $ret -eq 0 ]]; then if [[ $ret -eq 0 ]]; then
# Check whether any of the IP addresses in the certificate match the servername # Check whether any of the IP addresses in the certificate match the servername
ip_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ ip_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \
tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g') tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
for san in $ip_sans; do while read san; do
[[ "$san" == "$servername" ]] && ret=1 && break [[ -n "$san" ]] && [[ "$san" == "$servername" ]] && ret=1 && break
done done <<< "$ip_sans"
fi fi
# Check whether any of the DNS names in the certificate are wildcard names # Check whether any of the DNS names in the certificate are wildcard names
# that match the servername # that match the servername
if [[ $ret -eq 0 ]]; then if [[ $ret -eq 0 ]]; then
for san in $dns_sans; do while read san; do
[[ -n "$san" ]] || continue
wildcard_match "$servername" "$san" wildcard_match "$servername" "$san"
[[ $? -eq 0 ]] && ret=2 && break [[ $? -eq 0 ]] && ret=2 && break
done done <<< "$dns_sans"
fi fi
cn="$(get_cn_from_cert "$cert")" cn="$(get_cn_from_cert "$cert")"
@ -7250,9 +7251,9 @@ run_server_defaults() {
if [[ "$sans_nosni" == "$sans_sni" ]]; then if [[ "$sans_nosni" == "$sans_sni" ]]; then
success[n]=0 success[n]=0
else else
for san in $sans_nosni; do while read san; do
[[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break [[ -n "$san" ]] && [[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break
done done <<< "$sans_nosni"
fi fi
fi fi
fi fi
@ -7457,7 +7458,7 @@ get_session_ticket_lifetime_from_serverhello() {
get_san_dns_from_cert() { get_san_dns_from_cert() {
echo "$($OPENSSL x509 -in "$1" -noout -text 2>>$ERRFILE | \ echo "$($OPENSSL x509 -in "$1" -noout -text 2>>$ERRFILE | \
grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \ grep -A2 "Subject Alternative Name" | tr ',' '\n' | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')" sed -e 's/DNS://g' -e 's/ //g')"
} }