Allow for certificates with no subjectAltName extension

While it seems that almost all certificates include a subjectAltName extension, need to allow for the possibility that the two certificates being compared don't have subjectAltName extensions.
This commit is contained in:
David Cooper 2016-06-01 16:20:10 -04:00
parent 3bc0d6b45c
commit 6825c0b363

View File

@ -3610,16 +3610,20 @@ run_server_defaults() {
# FIXME: Not sure what the matching rule should be. At # FIXME: Not sure what the matching rule should be. At
# the moment, the no SNI certificate is considered a # the moment, the no SNI certificate is considered a
# match if the CNs are the same and the SANs contain # match if the CNs are the same and the SANs (if
# at least one DNS name in common. # present) contain at least one DNS name in common.
if [[ "$cn_nosni" == "$cn_sni" ]]; then if [[ "$cn_nosni" == "$cn_sni" ]]; then
sans_sni=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \ sans_sni=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g') sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
if [[ "$sans_nosni" == "$sans_sni" ]]; then
success[n]=0
else
for san in $sans_nosni; do for san in $sans_nosni; do
[[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break [[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break
done done
fi fi
fi fi
fi
# If the certificate found for TLSv1.1 w/o SNI appears to # If the certificate found for TLSv1.1 w/o SNI appears to
# be for a different host, then set match_found to true so # be for a different host, then set match_found to true so
# that the new certificate will not be included in the output. # that the new certificate will not be included in the output.