From 3323b29f10175d4100eb00a3787fa1c15e71e413 Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Fri, 27 Feb 2015 12:51:06 +0100 Subject: [PATCH] always include SNI as SAN entry To be as robust as possible, we include the SNI value always as a Subject Alternative Name. Second, we make sure that the server address is in the list as well. --- libmproxy/proxy/server.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libmproxy/proxy/server.py b/libmproxy/proxy/server.py index 4e5760679..8544ff723 100644 --- a/libmproxy/proxy/server.py +++ b/libmproxy/proxy/server.py @@ -260,11 +260,12 @@ class ConnectionHandler: sans = [] if self.server_conn.ssl_established and (not self.config.no_upstream_cert): upstream_cert = self.server_conn.cert + sans.extend(upstream_cert.altnames) if upstream_cert.cn: + sans.append(host) host = upstream_cert.cn.decode("utf8").encode("idna") - sans = upstream_cert.altnames - elif self.server_conn.sni: - sans = [self.server_conn.sni] + if self.server_conn.sni: + sans.append(self.server_conn.sni) ret = self.config.certstore.get_cert(host, sans) if not ret: