DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=37911>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37911 Summary: Incorrect warning "RSA server certificate CommonName (CN) `*.xxxxx.xxx' does NOT match server name!?" Product: Apache httpd-2 Version: 2.0.55 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: mod_ssl AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] The logic for deciding if a warning about the certificate CN not matching the server name is incorrect for the case of wilcard certificates. (It incorrectly drops into the normal test for a valid wildcard certificate) The fix is: --- ssl_engine_init.c.sav 2005-12-09 16:36:21.000000000 +0000 +++ ssl_engine_init.c 2005-12-14 18:23:01.360818339 +0000 @@ -834,14 +836,16 @@ if (SSL_X509_getCN(ptemp, cert, &cn)) { int fnm_flags = FNM_PERIOD|FNM_CASE_BLIND; - if (apr_fnmatch_test(cn) && - (apr_fnmatch(cn, s->server_hostname, - fnm_flags) == FNM_NOMATCH)) - { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + if (apr_fnmatch_test(cn)) + { + if (apr_fnmatch(cn, s->server_hostname, + fnm_flags) == FNM_NOMATCH) + { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "%s server certificate wildcard CommonName (CN) `%s' " "does NOT match server name!?", ssl_asn1_keystr(type), cn); + } } else if (strNE(s->server_hostname, cn)) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
