cert cred: add the CN to the list of known hostnames only if no dns_names

That is, follow rfc6125 and support CN as a fallback only.

1 files changed, 14 insertions, 9 deletions

diff --git a/lib/x509.c b/lib/x509.c
index 6d4890feba..3d46caecff 100644
--- a/lib/x509.c
+++ b/lib/x509.c
@@ -322,6 +322,7 @@ static int get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t * names)
 	size_t max_size;
 	int i, ret = 0, ret2;
 	char name[MAX_CN];
+	unsigned have_dns_name = 0;
 
 	for (i = 0; !(ret < 0); i++) {
 		max_size = sizeof(name);
@@ -330,6 +331,8 @@ static int get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t * names)
 		    gnutls_x509_crt_get_subject_alt_name(crt, i, name,
 							 &max_size, NULL);
 		if (ret == GNUTLS_SAN_DNSNAME) {
+			have_dns_name = 1;
+
 			ret2 =
 			    _gnutls_str_array_append(names, name,
 						     max_size);
@@ -340,15 +343,17 @@ static int get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t * names)
 		}
 	}
 
-	max_size = sizeof(name);
-	ret =
-	    gnutls_x509_crt_get_dn_by_oid(crt, OID_X520_COMMON_NAME, 0, 0,
-					  name, &max_size);
-	if (ret >= 0) {
-		ret = _gnutls_str_array_append(names, name, max_size);
-		if (ret < 0) {
-			_gnutls_str_array_clear(names);
-			return gnutls_assert_val(ret);
+	if (have_dns_name == 0) {
+		max_size = sizeof(name);
+		ret =
+		    gnutls_x509_crt_get_dn_by_oid(crt, OID_X520_COMMON_NAME, 0, 0,
+						  name, &max_size);
+		if (ret >= 0) {
+			ret = _gnutls_str_array_append(names, name, max_size);
+			if (ret < 0) {
+				_gnutls_str_array_clear(names);
+				return gnutls_assert_val(ret);
+			}
 		}
 	}