always include SNI as SAN entry

To be as robust as possible, we include the SNI value always as a Subject Alternative Name. Second, we make sure that the server address is in the list as well.
2015-02-27 12:51:06 +01:00 · 2015-02-27 12:51:06 +01:00 · 3323b29f10
parent c51a1dbb11
commit 3323b29f10
1 changed files with 4 additions and 3 deletions
--- a/libmproxy/proxy/server.py
+++ b/libmproxy/proxy/server.py
@ -260,11 +260,12 @@ class ConnectionHandler:
            sans = []
            if self.server_conn.ssl_established and (not self.config.no_upstream_cert):
                upstream_cert = self.server_conn.cert
+                sans.extend(upstream_cert.altnames)
                if upstream_cert.cn:
+                    sans.append(host)
                    host = upstream_cert.cn.decode("utf8").encode("idna")
-                sans = upstream_cert.altnames
-            elif self.server_conn.sni:
-                sans = [self.server_conn.sni]
+            if self.server_conn.sni:
+                sans.append(self.server_conn.sni)

            ret = self.config.certstore.get_cert(host, sans)
            if not ret: