[PATCH] Squid 3.1 - Honour alternate DNS names within the subjectAltName extension of X509 SSL certificates

From: James Brotchie <brotchie_at_gmail.com>
Date: Wed, 3 Feb 2010 12:14:10 +1000

When negotiating SSL connections Squid 3.1 currently only matches the
server name against the peer certificate's common name. Some X509
cert's use the subjectAltName extension which can specify a number of
alternate DNS names for which the certificate is valid. Code to handle
the subjectAltName extension is available in Squid 2.7 but has not
been ported to 3.1. I'm not 100% sure if this is an oversight or if
there is some outstanding security issue with honouring additional DNS
names.

Here's a patch against Squid 3.1.0.16 that ports the subjectAltName
handing code from Squid 2.7.

Also available as a bzr branch @ lp:~brotchie/squid/ssl-subjectAltName-3.1

Cheers,
James

Received on Wed Feb 03 2010 - 02:14:18 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 03 2010 - 12:00:04 MST