always include SNI as SAN entry
To be as robust as possible, we include the SNI value always as a Subject Alternative Name. Second, we make sure that the server address is in the list as well.
This commit is contained in:
parent
c51a1dbb11
commit
3323b29f10
|
@ -260,11 +260,12 @@ class ConnectionHandler:
|
||||||
sans = []
|
sans = []
|
||||||
if self.server_conn.ssl_established and (not self.config.no_upstream_cert):
|
if self.server_conn.ssl_established and (not self.config.no_upstream_cert):
|
||||||
upstream_cert = self.server_conn.cert
|
upstream_cert = self.server_conn.cert
|
||||||
|
sans.extend(upstream_cert.altnames)
|
||||||
if upstream_cert.cn:
|
if upstream_cert.cn:
|
||||||
|
sans.append(host)
|
||||||
host = upstream_cert.cn.decode("utf8").encode("idna")
|
host = upstream_cert.cn.decode("utf8").encode("idna")
|
||||||
sans = upstream_cert.altnames
|
if self.server_conn.sni:
|
||||||
elif self.server_conn.sni:
|
sans.append(self.server_conn.sni)
|
||||||
sans = [self.server_conn.sni]
|
|
||||||
|
|
||||||
ret = self.config.certstore.get_cert(host, sans)
|
ret = self.config.certstore.get_cert(host, sans)
|
||||||
if not ret:
|
if not ret:
|
||||||
|
|
Loading…
Reference in New Issue