always include SNI as SAN entry

To be as robust as possible, we include the SNI value always as a Subject
Alternative Name. Second, we make sure that the server address is in the
list as well.
This commit is contained in:
Maximilian Hils 2015-02-27 12:51:06 +01:00
parent c51a1dbb11
commit 3323b29f10
1 changed files with 4 additions and 3 deletions

View File

@ -260,11 +260,12 @@ class ConnectionHandler:
sans = [] sans = []
if self.server_conn.ssl_established and (not self.config.no_upstream_cert): if self.server_conn.ssl_established and (not self.config.no_upstream_cert):
upstream_cert = self.server_conn.cert upstream_cert = self.server_conn.cert
sans.extend(upstream_cert.altnames)
if upstream_cert.cn: if upstream_cert.cn:
sans.append(host)
host = upstream_cert.cn.decode("utf8").encode("idna") host = upstream_cert.cn.decode("utf8").encode("idna")
sans = upstream_cert.altnames if self.server_conn.sni:
elif self.server_conn.sni: sans.append(self.server_conn.sni)
sans = [self.server_conn.sni]
ret = self.config.certstore.get_cert(host, sans) ret = self.config.certstore.get_cert(host, sans)
if not ret: if not ret: