From: Fabian Keil Date: Mon, 15 Mar 2021 09:34:27 +0000 (+0100) Subject: OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name X-Git-Tag: v_3_0_33~105^2 X-Git-Url: http://www.privoxy.org/gitweb/%22https:/faq/developer-manual/man-page/static/@user-manual@@actions-help-prefix@BLOCK?a=commitdiff_plain;h=7fb2856b4d81f1a6c63054cc8a002b9aa3a5fb69;p=privoxy.git OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name ... Org and Org Unit if the real host name is too long to get accepted by OpenSSL. Prevents failures like: 2021-03-15 10:04:34.318 802816f00 Error: X509 subject name (code: CN, val: only-d-pmjr9f4mclevwwl2mwckreicm8k1afzk-1615774207025.nstool.netease.com) error: error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too Clients should only care about the Subject Alternative Name anyway and we can continue to use the real host name for it. Reported by Miles Wen on privoxy-users@. --- diff --git a/openssl.c b/openssl.c index 97cb62a4..4dac8ea9 100644 --- a/openssl.c +++ b/openssl.c @@ -1751,6 +1751,8 @@ static int generate_host_certificate(struct client_state *csp) cert_options cert_opt; char cert_valid_from[VALID_DATETIME_BUFLEN]; char cert_valid_to[VALID_DATETIME_BUFLEN]; + const char *common_name; + enum { CERT_PARAM_COMMON_NAME_MAX = 64 }; /* Paths to keys and certificates needed to create certificate */ cert_opt.issuer_key = NULL; @@ -1866,8 +1868,15 @@ static int generate_host_certificate(struct client_state *csp) goto exit; } + /* + * Make sure OpenSSL doesn't reject the common name due to its length. + * The clients should only care about the Subject Alternative Name anyway + * and we always use the real host name for that. + */ + common_name = (strlen(csp->http->host) > CERT_PARAM_COMMON_NAME_MAX) ? + CGI_SITE_2_HOST : csp->http->host; if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_COMMON_NAME_FCODE, - MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0)) + MBSTRING_ASC, (void *)common_name, -1, -1, 0)) { log_ssl_errors(LOG_LEVEL_ERROR, "X509 subject name (code: %s, val: %s) error", @@ -1876,7 +1885,7 @@ static int generate_host_certificate(struct client_state *csp) goto exit; } if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORGANIZATION_FCODE, - MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0)) + MBSTRING_ASC, (void *)common_name, -1, -1, 0)) { log_ssl_errors(LOG_LEVEL_ERROR, "X509 subject name (code: %s, val: %s) error", @@ -1885,7 +1894,7 @@ static int generate_host_certificate(struct client_state *csp) goto exit; } if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORG_UNIT_FCODE, - MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0)) + MBSTRING_ASC, (void *)common_name, -1, -1, 0)) { log_ssl_errors(LOG_LEVEL_ERROR, "X509 subject name (code: %s, val: %s) error",