MDEV-10594 SSL hostname verification fails for SubjectAltNames

use X509_check_host for OpenSSL 1.0.2+ This adds: * support for subjectAltNames * wildcards * sub-domain matching
author: Sergei Golubchik <serg@mariadb.org> 2017-04-25 23:00:58 +0200
committer: Sergei Golubchik <serg@mariadb.org> 2017-04-27 19:12:44 +0200
commit: 1b27c254731747756d254f96cd8666dae3f0809b (patch)
tree: 4647958d45742c088fcb6e6afd01797fc6972158 /mysql-test/lib/generate-ssl-certs.sh
parent: b8c840500816c514b6722145a7f307c499793b69 (diff)
download: mariadb-git-1b27c254731747756d254f96cd8666dae3f0809b.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/mysql-test/lib/generate-ssl-certs.sh b/mysql-test/lib/generate-ssl-certs.sh
index e5e995489a0..8f15ba9d521 100755
--- a/mysql-test/lib/generate-ssl-certs.sh
+++ b/mysql-test/lib/generate-ssl-certs.sh
@@ -29,4 +29,11 @@ openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -
 openssl rsa -in client-key.pem -out client-key.pem
 openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -infiles demoCA/client-req.pem
 
+# with SubjectAltName, only for OpenSSL 1.0.2+
+cat > demoCA/sanext.conf <<EOF
+subjectAltName=DNS:localhost
+EOF
+openssl req -newkey rsa:1024 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
+openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -infiles demoCA/serversan-req.pem
+
 rm -rf demoCA
author	Sergei Golubchik <serg@mariadb.org>	2017-04-25 23:00:58 +0200
committer	Sergei Golubchik <serg@mariadb.org>	2017-04-27 19:12:44 +0200
commit	1b27c254731747756d254f96cd8666dae3f0809b (patch)
tree	4647958d45742c088fcb6e6afd01797fc6972158 /mysql-test/lib/generate-ssl-certs.sh
parent	b8c840500816c514b6722145a7f307c499793b69 (diff)
download	mariadb-git-1b27c254731747756d254f96cd8666dae3f0809b.tar.gz