session BUGFIX Fix TLS connection with Subject Alternative Name

synther · michalvasko · commit a3b66320c59d · 2021-08-26T15:17:06.000+02:00
Without the fix, it's impossible to connect to the server using client authentication based on Subject Alternative Name from a X.509 client certificate. The commit fixes the following <cert-to-name> mapping [1]: - san-rfc822-name - san-dns-name x - san-ip-address - san-any Fixes #328 Links: [1] https://datatracker.ietf.org/doc/html/rfc7407#section-4.1
diff --git a/src/session_server_tls.c b/src/session_server_tls.c
@@ -285,7 +285,7 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type
         }
         sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
 
-        if (i < san_count) {
+        if (i == san_count) {
             switch (map_type) {
             case NC_TLS_CTN_SAN_RFC822_NAME:
                 WRN(NULL, "Certificate does not include the SAN rfc822Name field.");

Original file line number	Diff line number	Diff line change
`@@ -285,7 +285,7 @@ nc_tls_ctn_get_username_from_cert(X509 *client_cert, NC_TLS_CTN_MAPTYPE map_type`
`285`	`285`	`}`
`286`	`286`	`sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);`
`287`	`287`
`288`		`- if (i < san_count) {`
	`288`	`+ if (i == san_count) {`
`289`	`289`	`switch (map_type) {`
`290`	`290`	`case NC_TLS_CTN_SAN_RFC822_NAME:`
`291`	`291`	`WRN(NULL, "Certificate does not include the SAN rfc822Name field.");`