Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
[SOLVED] Internal certificates and Subject Alternative Name
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Internal certificates and Subject Alternative Name (Read 8180 times)
kei
Newbie
Posts: 5
Karma: 0
[SOLVED] Internal certificates and Subject Alternative Name
«
on:
July 27, 2015, 12:56:41 am »
Hi,
I've have started with opnsense a week ago and I am very pleased. Great work!
Setting up IPSEC I needed Certificates with Subject Alternative Name set. The GUI provides a great screen for internal certificates with this extension. Unfortunately the resulting certificate does not contain any of the information provided.
Upgrading from 15.1 to 15.7 did not help, so I looked into the source and found the following:
/etc/inc/certs.inc starts with
define("OPEN_SSL_CONF_PATH", "/etc/ssl/openssl.cnf");
the file exists, but is not picked up anywhere, as php expects this information to be passed in OPENSSL_CONF (see
http://php.net/manual/en/openssl.installation.php
).
Investigation shows that openssl picks
/usr/local/openssl/openssl.cnf
down in function cert_create is the handling of SAN, it appends $cert_type with "_san" to signal openssl the custom information which it puts in the environment. This variable is never read.
Moreover there is no section in openssl.cnf that would react on the environment variable.
I have no build environment and would not want to setup one for this, yet suggest the following changes:
Replace OPEN_SSL_CONF_PATH definition with a comment on where the default openssl.cnf is picked up.
Change cert_create as follows:
$ca_serial = ++$ca['serial'];
$cert_type = "usr_cert";
// in case of using Subject Alternative Names use other sections (with postfix '_san')
// pass subjectAltName over environment variable 'SAN'
if ($dn['subjectAltName']) {
putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file
$cert_type .= '_san';
unset($dn['subjectAltName']);
}
$args = array(
"x509_extensions" =>
$cert_type
,
"digest_alg" => $digest_alg,
Then add a section to /usr/local/openssl/openssl.cnf after the end of the existing usr_cert section, just duplicating its content and adding 1 line. I have removed here the commented lines.
[ usr_cert_san ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName= $ENV::SAN
I have patched my live system with this and obtained proper certificates with Subject Alternative Name.
I guess this did not get much attention as most of us have CA infrastructure in place elsewhere.
I hope this helps and can make it into some upcoming patch.
Keep up the good work!
Cheers,
Kei
«
Last Edit: January 09, 2016, 09:51:09 am by franco
»
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Internal certificates and Subject Alternative Name
«
Reply #1 on:
July 27, 2015, 01:25:53 pm »
Hi kei,
thanks for the detailed report/fix. I remember this code and the reason why we did not keep the overrides for the feature: we split the base system and ports in two and since we did not have a template engine the decided to keep the standard file and see how far we get with it.
We'll put it back with a proper template generation for the SAN extensions (and others). We're tracking this via:
https://github.com/opnsense/core/issues/280
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Internal certificates and Subject Alternative Name
«
Reply #2 on:
August 18, 2015, 05:43:23 pm »
SAN setting is somehow broken in LibreSSL via PHP OpenSSL bindings... need to find a way to rewrite or to get that fixed properly. Debugging info is sparse.
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Internal certificates and Subject Alternative Name
«
Reply #3 on:
January 09, 2016, 09:50:55 am »
This has been shipped recently for OpenSSL and LibreSSL.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
[SOLVED] Internal certificates and Subject Alternative Name