Branch: Tag:

2015-06-10

2015-06-10 15:25:00 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Pike 8.0 [SSL]: Support multiple certificates with the same key.

Also adds fallback to using a random certificate if the client doesn't
support SNI, or the SNI doesn't match any of the certificates.

2560: Inside #if constant(Standards.X509)
   }       foreach(decoded_keys, Crypto.Sign key) { -  // FIXME: Multiple certificates with the same key? -  array(int) cert_nos; +  // NB: We need to support multiple certificates with the same key. +  int found;    Standards.X509.TBSCertificate tbs;    foreach(decoded_certs; int no; tbs) { -  if (tbs->public_key->pkc->public_key_equal(key)) { -  cert_nos = ({ no }); -  break; -  } -  } -  if (!cert_nos) { -  CERT_ERROR (KeyFile, -  LOC_M(14, "Certificate and private key do not match.\n")); +  if (!tbs->public_key->pkc->public_key_equal(key))    continue; -  } +     -  +  array(int) cert_nos = ({ no }); +     // Build the certificate chain.    Standards.X509.TBSCertificate issuer;    do {
2597: Inside #if constant(Standards.X509)
      report_notice("Adding %s certificate (%d certs) for %s\n",    key->name(), sizeof(cert_nos), get_url()); -  ctx->add_cert(key, rows(certificates, cert_nos), ({ name })); +  // FIXME: Ought to only add "*" for the certificate chains +  // belonging to the default server. +  ctx->add_cert(key, rows(certificates, cert_nos), ({ name, "*" })); +  found = 1;    } -  +  if (!found) { +  CERT_ERROR (KeyFile, +  LOC_M(14, "Private key without matching certificate.\n")); +  continue; +  } +  }      #if 0    // FIXME: How do this in current Pike 8.0?