You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by sh...@apache.org on 2015/01/23 15:37:23 UTC

trafficserver git commit: TS-3243: Remove warnings while loading certificates with duplicate names.

Repository: trafficserver
Updated Branches:
  refs/heads/master abe603564 -> 4f043934c


TS-3243: Remove warnings while loading certificates with duplicate names.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/4f043934
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/4f043934
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/4f043934

Branch: refs/heads/master
Commit: 4f043934c5d8e56e2ea6fa8f88badb7345e37d1c
Parents: abe6035
Author: shinrich <sh...@yahoo-inc.com>
Authored: Fri Jan 23 08:36:45 2015 -0600
Committer: shinrich <sh...@yahoo-inc.com>
Committed: Fri Jan 23 08:36:45 2015 -0600

----------------------------------------------------------------------
 CHANGES                |  3 +++
 iocore/net/SSLUtils.cc | 14 +++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4f043934/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 8022ffe..48f10e6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 5.3.0
 
+  *) [TS-3243] Removing warnings from loading certificates with duplicated 
+   names.
+
   *) [TS-3316] Fix the build for 32 bit architectures.
 
   *) [TS-3100] Extend tr-pass to allow malformed HTTP GET requested to be blind

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4f043934/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 536d656..7c52234 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1568,6 +1568,7 @@ ssl_index_certificate(SSLCertLookup * lookup, SSLCertContext const& cc, const ch
 
   // Insert a key for the subject CN.
   subject = X509_get_subject_name(cert);
+  ats_scoped_str subj_name;
   if (subject) {
     int pos = -1;
     for (;;) {
@@ -1578,10 +1579,10 @@ ssl_index_certificate(SSLCertLookup * lookup, SSLCertContext const& cc, const ch
 
       X509_NAME_ENTRY * e = X509_NAME_get_entry(subject, pos);
       ASN1_STRING * cn = X509_NAME_ENTRY_get_data(e);
-      ats_scoped_str name(asn1_strdup(cn));
+      subj_name = asn1_strdup(cn);
 
-      Debug("ssl", "mapping '%s' to certificate %s", (const char *) name, certfile);
-      lookup->insert(name, cc);
+      Debug("ssl", "mapping '%s' to certificate %s", (const char *) subj_name, certfile);
+      lookup->insert(subj_name, cc);
     }
   }
 
@@ -1596,8 +1597,11 @@ ssl_index_certificate(SSLCertLookup * lookup, SSLCertContext const& cc, const ch
       name = sk_GENERAL_NAME_value(names, i);
       if (name->type == GEN_DNS) {
         ats_scoped_str dns(asn1_strdup(name->d.dNSName));
-        Debug("ssl", "mapping '%s' to certificate %s", (const char *) dns, certfile);
-        lookup->insert(dns, cc);
+        // only try to insert if the alternate name is not the main name
+        if (strcmp(dns, subj_name) != 0) {
+          Debug("ssl", "mapping '%s' to certificate %s", (const char *) dns, certfile);
+          lookup->insert(dns, cc);
+        }
       }
     }