From: Fabian Keil <fk@fabiankeil.de>
Date: Mon, 15 Mar 2021 09:34:27 +0000 (+0100)
Subject: OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name
X-Git-Tag: v_3_0_33~105^2
X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff_plain;h=7fb2856b4d81f1a6c63054cc8a002b9aa3a5fb69;ds=sidebyside

OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name

... Org and Org Unit if the real host name is too long to
get accepted by OpenSSL.

Prevents failures like:
2021-03-15 10:04:34.318 802816f00 Error: X509 subject name (code: CN, val: only-d-pmjr9f4mclevwwl2mwckreicm8k1afzk-1615774207025.nstool.netease.com) error: error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too

Clients should only care about the Subject Alternative Name
anyway and we can continue to use the real host name for it.

Reported by Miles Wen on privoxy-users@.
---

diff --git a/openssl.c b/openssl.c
index 97cb62a4..4dac8ea9 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1751,6 +1751,8 @@ static int generate_host_certificate(struct client_state *csp)
    cert_options cert_opt;
    char cert_valid_from[VALID_DATETIME_BUFLEN];
    char cert_valid_to[VALID_DATETIME_BUFLEN];
+   const char *common_name;
+   enum { CERT_PARAM_COMMON_NAME_MAX = 64 };
 
    /* Paths to keys and certificates needed to create certificate */
    cert_opt.issuer_key  = NULL;
@@ -1866,8 +1868,15 @@ static int generate_host_certificate(struct client_state *csp)
       goto exit;
    }
 
+   /*
+    * Make sure OpenSSL doesn't reject the common name due to its length.
+    * The clients should only care about the Subject Alternative Name anyway
+    * and we always use the real host name for that.
+    */
+   common_name = (strlen(csp->http->host) > CERT_PARAM_COMMON_NAME_MAX) ?
+      CGI_SITE_2_HOST : csp->http->host;
    if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_COMMON_NAME_FCODE,
-         MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+         MBSTRING_ASC, (void *)common_name, -1, -1, 0))
    {
       log_ssl_errors(LOG_LEVEL_ERROR,
          "X509 subject name (code: %s, val: %s) error",
@@ -1876,7 +1885,7 @@ static int generate_host_certificate(struct client_state *csp)
       goto exit;
    }
    if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORGANIZATION_FCODE,
-         MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+         MBSTRING_ASC, (void *)common_name, -1, -1, 0))
    {
       log_ssl_errors(LOG_LEVEL_ERROR,
          "X509 subject name (code: %s, val: %s) error",
@@ -1885,7 +1894,7 @@ static int generate_host_certificate(struct client_state *csp)
       goto exit;
    }
    if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORG_UNIT_FCODE,
-         MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+         MBSTRING_ASC, (void *)common_name, -1, -1, 0))
    {
       log_ssl_errors(LOG_LEVEL_ERROR,
          "X509 subject name (code: %s, val: %s) error",