Grasscutters/mitmproxy
3
0
Fork 0
mirror of https://github.com/Grasscutters/mitmproxy.git synced 2025-02-01 15:55:28 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3982 from mhils/critical-san

Browse Source 
Certs: mark SAN as critical if no CN is set
This commit is contained in:
Maximilian Hils 2020-06-23 23:43:37 +02:00 committed by GitHub
commit 1f6a980df3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
mitmproxy/certs.py
View File

@ -106,7 +106,10 @@ def dummy_cert(privkey, cacert, commonname, sans, organization):
cert.gmtime_adj_notBefore(-3600 * 48)
cert.gmtime_adj_notAfter(DEFAULT_EXP_DUMMY_CERT)
cert.set_issuer(cacert.get_subject())
if commonname is not None and len(commonname) < 64:
is_valid_commonname = (
commonname is not None and len(commonname) < 64
)
if is_valid_commonname:
cert.get_subject().CN = commonname
if organization is not None:
cert.get_subject().O = organization
@ -114,7 +117,13 @@ def dummy_cert(privkey, cacert, commonname, sans, organization):
if ss:
cert.set_version(2)
cert.add_extensions(
[OpenSSL.crypto.X509Extension(b"subjectAltName", False, ss)])
[OpenSSL.crypto.X509Extension(
b"subjectAltName",
# RFC 5280 §4.2.1.6: subjectAltName is critical if subject is empty.
not is_valid_commonname,
ss
)]
)
cert.add_extensions([
OpenSSL.crypto.X509Extension(
b"extendedKeyUsage",