Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subject-Alt-Name: Correct behavior of global option --san #1088

Closed
wants to merge 3 commits into from
Closed

Subject-Alt-Name: Correct behavior of global option --san #1088

wants to merge 3 commits into from

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Mar 10, 2024
edited
Loading

--san|--subject-alt-name current behavior is currently incorrect.

Appending any value to EASYRSA_EXTRA_EXTS repeatedly inserts OpenSSL
label 'subjectAltName = ' when this label should be specified once only.

This change correctly formats EASYRSA_EXTRA_EXTS, to only begin with the
label 'subjectAltName = ' and append user values to that string.

Example Command line:

--san=DNS:server3 --san=DNS:swerveur3 --san=IP:10.2.2.2 --san=IP:10.1.1.1
--nopass build-server-full s3

Resulting certificate:

X509v3 Subject Alternative Name:
    DNS:server3, DNS:swerveur3, IP Address:10.2.2.2, IP Address:10.1.1.1

The originally required command string:

--san=DNS:server3,DNS:swerveur3,IP:10.2.2.2,IP:10.1.1.1 build-server-full s3

is also still supported.

Also, the Easy-RSA confirmation dialogue is shown as:

subject=
    commonName                = s3

X509v3 Subject Alternative Name:
    DNS:server3,DNS:swerveur3,IP:10.2.2.2,IP:10.1.1.1

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

@TinCanTech
Subject-Alt-Name: Correct behavior of global option --san
379581d 
--san|--subject-alt-name current behavior is currently incorrect.

Appending any value to EASYRSA_EXTRA_EXTS repeatedly inserts OpenSSL
label 'subjectAltName = ' when this label should be specified once only.

This change correctly formats EASYRSA_EXTRA_EXTS, to only begin with the
label 'subjectAltName = ' and append user values to that string.

Example Command line:

  --san=DNS:server3 --san=DNS:swerveur3 --san=IP:10.2.2.2 --san=IP:10.1.1.1
    --nopass build-server-full s3

Resulting certificate:

  X509v3 Subject Alternative Name:
      DNS:server3, DNS:swerveur3, IP Address:10.2.2.2, IP Address:10.1.1.1

The originally required command string:

 --san=DNS:server3,DNS:swerveur3,IP:10.2.2.2,IP:10.1.1.1 build-server-full s3

is also still supported.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Subject-Alt-Name: Update 'help san': Allow multiple --san instances
822f2c1 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
ChangeLog: Subject-Alt-Name: Allow multiple --san instances
e8bac27 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech added this to the v3.2.0 milestone Mar 10, 2024
@TinCanTech TinCanTech linked an issue Mar 10, 2024 that may be closed by this pull request
Incorrect SAN entries presented on signing confirmation #1086
Closed
4 tasks
@TinCanTech TinCanTech self-assigned this Mar 10, 2024
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Mar 13, 2024
edited
Loading

As obvious a fix as this appears to be, I would prefer to separate SAN from other "Extra (Undefined) extensions".

Thus, EASYRSA_EXTRA_EXTS is not the preferred variable to use for SANs.

For Easy-RSA v3.2, I believe it is also time to resolve #576.
The resolution will be that support for servers named by IP address, having an automatic IP SAN added, is nonsense. Follow-up: #1091

@TinCanTech TinCanTech mentioned this pull request Mar 13, 2024
Closed
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Mar 16, 2024
edited
Loading

Superseded-by: #1093 #1096

@TinCanTech TinCanTech closed this Mar 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
BUG-FIX Version 3.2.0-Release
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging this pull request may close these issues.

Incorrect SAN entries presented on signing confirmation
1 participant
@TinCanTech