The Samba-Bugzilla – Attachment 18695 Details for
Bug 15899
Self-signed certificates don't have X509v3 Subject Alternative Name for DNS
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-23-test
bfixes-tmp423.txt (text/plain), 9.80 KB, created by
Stefan Metzmacher
on 2025-08-27 04:53:30 UTC
(
hide
)
Description:
Patch for v4-23-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2025-08-27 04:53:30 UTC
Size:
9.80 KB
patch
obsolete
>From 4d152e86f3cc1de3d3808eb4c8b3bb8758090c72 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 26 Aug 2025 11:22:43 +0200 >Subject: [PATCH 1/3] s4:lib/tls: let tstream_tls_params_server_lpcfg() use > lpcfg_dns_hostname() internally > >This is simpler and the next step will also make use of >lpcfg_additional_dns_hostnames() too... > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 6116bc64961fb2330df5ff4256b4ef75dca08cf0) >--- > source3/smbd/server.c | 8 -------- > source4/ldap_server/ldap_server.c | 10 ---------- > source4/ldap_server/ldap_server.h | 1 - > source4/lib/tls/tls.h | 1 - > source4/lib/tls/tls_tstream.c | 3 +-- > 5 files changed, 1 insertion(+), 22 deletions(-) > >diff --git a/source3/smbd/server.c b/source3/smbd/server.c >index f7f55420c006..f31ea8946007 100644 >--- a/source3/smbd/server.c >+++ b/source3/smbd/server.c >@@ -255,21 +255,13 @@ static NTSTATUS smb_parent_load_tls_certificates(struct smbd_parent_context *par > struct loadparm_context *lp_ctx) > { > struct tstream_tls_params *quic_tlsp = NULL; >- const char *dns_hostname = NULL; > NTSTATUS status; > > if (parent == NULL) { > return NT_STATUS_INTERNAL_ERROR; > } > >- dns_hostname = lpcfg_dns_hostname(lp_ctx); >- if (dns_hostname == NULL) { >- DBG_ERR("ERROR: lpcfg_dns_hostname() failed\n"); >- return NT_STATUS_INTERNAL_ERROR; >- } >- > status = tstream_tls_params_server_lpcfg(parent, >- dns_hostname, > lp_ctx, > &quic_tlsp); > if (!NT_STATUS_IS_OK(status)) { >diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c >index bc3d7cef883e..ced56aafd83f 100644 >--- a/source4/ldap_server/ldap_server.c >+++ b/source4/ldap_server/ldap_server.c >@@ -1324,7 +1324,6 @@ static void ldap_reload_certs(struct imessaging_context *msg_ctx, > > /* reload certificates */ > status = tstream_tls_params_server_lpcfg(ldap_service, >- ldap_service->dns_host_name, > ldap_service->lp_ctx, > &new_tls_params); > if (!NT_STATUS_IS_OK(status)) { >@@ -1432,18 +1431,9 @@ static NTSTATUS ldapsrv_task_init(struct task_server *task) > ldap_service->current_ev = task->event_ctx; > ldap_service->current_msg = task->msg_ctx; > >- ldap_service->dns_host_name = talloc_asprintf(ldap_service, "%s.%s", >- lpcfg_netbios_name(task->lp_ctx), >- lpcfg_dnsdomain(task->lp_ctx)); >- if (ldap_service->dns_host_name == NULL) { >- status = NT_STATUS_NO_MEMORY; >- goto failed; >- } >- > ldap_service->parent_pid = getpid(); > > status = tstream_tls_params_server_lpcfg(ldap_service, >- ldap_service->dns_host_name, > ldap_service->lp_ctx, > &ldap_service->tls_params); > if (!NT_STATUS_IS_OK(status)) { >diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h >index 4e833bea592f..e47859d2b23c 100644 >--- a/source4/ldap_server/ldap_server.h >+++ b/source4/ldap_server/ldap_server.h >@@ -115,7 +115,6 @@ struct ldapsrv_call { > #define LDAP_SERVER_MAX_CHUNK_SIZE ((size_t)(25 * 1024 * 1024)) > > struct ldapsrv_service { >- const char *dns_host_name; > pid_t parent_pid; > struct tstream_tls_params *tls_params; > struct tevent_queue *call_queue; >diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h >index 5c6ab3b2e227..2641b62ae26f 100644 >--- a/source4/lib/tls/tls.h >+++ b/source4/lib/tls/tls.h >@@ -84,7 +84,6 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, > const char *tls_priority, > struct tstream_tls_params **_params); > NTSTATUS tstream_tls_params_server_lpcfg(TALLOC_CTX *mem_ctx, >- const char *dns_host_name, > struct loadparm_context *lp_ctx, > struct tstream_tls_params **_params); > >diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c >index 903ae5404a4a..b28a7cc27e3d 100644 >--- a/source4/lib/tls/tls_tstream.c >+++ b/source4/lib/tls/tls_tstream.c >@@ -1659,7 +1659,6 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, > } > > NTSTATUS tstream_tls_params_server_lpcfg(TALLOC_CTX *mem_ctx, >- const char *dns_host_name, > struct loadparm_context *lp_ctx, > struct tstream_tls_params **_tlsp) > { >@@ -1667,7 +1666,7 @@ NTSTATUS tstream_tls_params_server_lpcfg(TALLOC_CTX *mem_ctx, > NTSTATUS status; > > status = tstream_tls_params_server(mem_ctx, >- dns_host_name, >+ lpcfg_dns_hostname(lp_ctx), > lpcfg_tls_enabled(lp_ctx), > lpcfg_tls_keyfile(frame, lp_ctx), > lpcfg_tls_certfile(frame, lp_ctx), >-- >2.43.0 > > >From 3235572704c56bb35a4bacf73eece41c2b195cd3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 26 Aug 2025 11:55:40 +0200 >Subject: [PATCH 2/3] s4:lib/tls: set GNUTLS_SAN_DNSNAME for self-signed > certificates > >It's better to include X509v3 Subject Alternative Name with >DNS names in the self-signed certificate... > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 49e179963f56e749dac4e20284dc567e382ccdb2) >--- > source4/lib/tls/tlscert.c | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c >index 69a4189dedf0..98ecb6eb134f 100644 >--- a/source4/lib/tls/tlscert.c >+++ b/source4/lib/tls/tlscert.c >@@ -110,6 +110,9 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, > TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, > GNUTLS_OID_X520_COMMON_NAME, 0, > hostname, strlen(hostname))); >+ TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, >+ hostname, strlen(hostname), >+ GNUTLS_FSAN_SET)); > TLSCHECK(gnutls_x509_crt_set_key(crt, key)); > TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial))); > TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation)); >-- >2.43.0 > > >From bbc41755c900aaae8b58df0f557cddda2149868b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 26 Aug 2025 15:22:10 +0200 >Subject: [PATCH 3/3] s4:lib/tls: add additional dns hostnames as > GNUTLS_SAN_DNSNAME for self-signed certificates > >It's better to include X509v3 Subject Alternative Name with >DNS names also for additional dns hostnames. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Tue Aug 26 22:00:26 UTC 2025 on atb-devel-224 > >(cherry picked from commit 499656a05011a462b2e44faea7318a02c847de5e) >--- > source4/lib/tls/tls.h | 2 ++ > source4/lib/tls/tls_tstream.c | 3 +++ > source4/lib/tls/tlscert.c | 13 +++++++++++++ > 3 files changed, 18 insertions(+) > >diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h >index 2641b62ae26f..4d988af30e9c 100644 >--- a/source4/lib/tls/tls.h >+++ b/source4/lib/tls/tls.h >@@ -28,6 +28,7 @@ struct loadparm_context; > > void tls_cert_generate(TALLOC_CTX *mem_ctx, > const char *hostname, >+ const char * const *additional_hostnames, > const char *keyfile, const char *certfile, > const char *cafile); > >@@ -75,6 +76,7 @@ NTSTATUS tstream_tls_params_quic_prepare(struct tstream_tls_params *tlsp); > > NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, > const char *dns_host_name, >+ const char * const *additional_dns_hostnames, > bool enabled, > const char *key_file, > const char *cert_file, >diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c >index b28a7cc27e3d..7c2b99fbc6b9 100644 >--- a/source4/lib/tls/tls_tstream.c >+++ b/source4/lib/tls/tls_tstream.c >@@ -1495,6 +1495,7 @@ int tstream_tls_connect_recv(struct tevent_req *req, > */ > NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, > const char *dns_host_name, >+ const char * const *additional_dns_hostnames, > bool enabled, > const char *key_file, > const char *cert_file, >@@ -1545,6 +1546,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, > > if (!file_exist(ca_file)) { > tls_cert_generate(tlsp, dns_host_name, >+ additional_dns_hostnames, > key_file, cert_file, ca_file); > } > >@@ -1667,6 +1669,7 @@ NTSTATUS tstream_tls_params_server_lpcfg(TALLOC_CTX *mem_ctx, > > status = tstream_tls_params_server(mem_ctx, > lpcfg_dns_hostname(lp_ctx), >+ lpcfg_additional_dns_hostnames(lp_ctx), > lpcfg_tls_enabled(lp_ctx), > lpcfg_tls_keyfile(frame, lp_ctx), > lpcfg_tls_certfile(frame, lp_ctx), >diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c >index 98ecb6eb134f..08386166a559 100644 >--- a/source4/lib/tls/tlscert.c >+++ b/source4/lib/tls/tlscert.c >@@ -39,6 +39,7 @@ > */ > void tls_cert_generate(TALLOC_CTX *mem_ctx, > const char *hostname, >+ const char * const *additional_hostnames, > const char *keyfile, const char *certfile, > const char *cafile) > { >@@ -50,6 +51,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, > size_t bufsize; > size_t keyidsize = sizeof(keyid); > time_t activation = time(NULL), expiry = activation + LIFETIME; >+ size_t adhn_idx; > int ret; > > if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) { >@@ -113,6 +115,17 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, > TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, > hostname, strlen(hostname), > GNUTLS_FSAN_SET)); >+ for (adhn_idx = 0; >+ additional_hostnames != NULL && >+ additional_hostnames[adhn_idx] != NULL; >+ adhn_idx++) >+ { >+ const char *adhn = additional_hostnames[adhn_idx]; >+ >+ TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, >+ adhn, strlen(adhn), >+ GNUTLS_FSAN_APPEND)); >+ } > TLSCHECK(gnutls_x509_crt_set_key(crt, key)); > TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial))); > TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation)); >-- >2.43.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18695">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15899
: 18695