The branch, master has been updated
via 499656a0501 s4:lib/tls: add additional dns hostnames as
GNUTLS_SAN_DNSNAME for self-signed certificates
via 49e179963f5 s4:lib/tls: set GNUTLS_SAN_DNSNAME for self-signed
certificates
via 6116bc64961 s4:lib/tls: let tstream_tls_params_server_lpcfg() use
lpcfg_dns_hostname() internally
from ddac5c999f4 winbindd: CID 1508963 Fixing print statement for time_t
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 499656a05011a462b2e44faea7318a02c847de5e
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 26 15:22:10 2025 +0200
s4:lib/tls: add additional dns hostnames as GNUTLS_SAN_DNSNAME for
self-signed certificates
It's better to include X509v3 Subject Alternative Name with
DNS names also for additional dns hostnames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Tue Aug 26 22:00:26 UTC 2025 on atb-devel-224
commit 49e179963f56e749dac4e20284dc567e382ccdb2
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 26 11:55:40 2025 +0200
s4:lib/tls: set GNUTLS_SAN_DNSNAME for self-signed certificates
It's better to include X509v3 Subject Alternative Name with
DNS names in the self-signed certificate...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
commit 6116bc64961fb2330df5ff4256b4ef75dca08cf0
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 26 11:22:43 2025 +0200
s4:lib/tls: let tstream_tls_params_server_lpcfg() use lpcfg_dns_hostname()
internally
This is simpler and the next step will also make use of
lpcfg_additional_dns_hostnames() too...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15899
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/server.c | 8 --------
source4/ldap_server/ldap_server.c | 10 ----------
source4/ldap_server/ldap_server.h | 1 -
source4/lib/tls/tls.h | 3 ++-
source4/lib/tls/tls_tstream.c | 6 ++++--
source4/lib/tls/tlscert.c | 16 ++++++++++++++++
6 files changed, 22 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index f7f55420c00..f31ea894600 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -255,21 +255,13 @@ static NTSTATUS smb_parent_load_tls_certificates(struct
smbd_parent_context *par
struct loadparm_context
*lp_ctx)
{
struct tstream_tls_params *quic_tlsp = NULL;
- const char *dns_hostname = NULL;
NTSTATUS status;
if (parent == NULL) {
return NT_STATUS_INTERNAL_ERROR;
}
- dns_hostname = lpcfg_dns_hostname(lp_ctx);
- if (dns_hostname == NULL) {
- DBG_ERR("ERROR: lpcfg_dns_hostname() failed\n");
- return NT_STATUS_INTERNAL_ERROR;
- }
-
status = tstream_tls_params_server_lpcfg(parent,
- dns_hostname,
lp_ctx,
&quic_tlsp);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/ldap_server/ldap_server.c
b/source4/ldap_server/ldap_server.c
index bc3d7cef883..ced56aafd83 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -1324,7 +1324,6 @@ static void ldap_reload_certs(struct imessaging_context
*msg_ctx,
/* reload certificates */
status = tstream_tls_params_server_lpcfg(ldap_service,
- ldap_service->dns_host_name,
ldap_service->lp_ctx,
&new_tls_params);
if (!NT_STATUS_IS_OK(status)) {
@@ -1432,18 +1431,9 @@ static NTSTATUS ldapsrv_task_init(struct task_server
*task)
ldap_service->current_ev = task->event_ctx;
ldap_service->current_msg = task->msg_ctx;
- ldap_service->dns_host_name = talloc_asprintf(ldap_service, "%s.%s",
- lpcfg_netbios_name(task->lp_ctx),
- lpcfg_dnsdomain(task->lp_ctx));
- if (ldap_service->dns_host_name == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto failed;
- }
-
ldap_service->parent_pid = getpid();
status = tstream_tls_params_server_lpcfg(ldap_service,
- ldap_service->dns_host_name,
ldap_service->lp_ctx,
&ldap_service->tls_params);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/ldap_server/ldap_server.h
b/source4/ldap_server/ldap_server.h
index 4e833bea592..e47859d2b23 100644
--- a/source4/ldap_server/ldap_server.h
+++ b/source4/ldap_server/ldap_server.h
@@ -115,7 +115,6 @@ struct ldapsrv_call {
#define LDAP_SERVER_MAX_CHUNK_SIZE ((size_t)(25 * 1024 * 1024))
struct ldapsrv_service {
- const char *dns_host_name;
pid_t parent_pid;
struct tstream_tls_params *tls_params;
struct tevent_queue *call_queue;
diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h
index 2fc74f75c29..d8354911402 100644
--- a/source4/lib/tls/tls.h
+++ b/source4/lib/tls/tls.h
@@ -28,6 +28,7 @@ struct loadparm_context;
void tls_cert_generate(TALLOC_CTX *mem_ctx,
const char *hostname,
+ const char * const *additional_hostnames,
const char *keyfile, const char *certfile,
const char *cafile);
@@ -75,6 +76,7 @@ NTSTATUS tstream_tls_params_quic_prepare(struct
tstream_tls_params *tlsp);
NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
const char *dns_host_name,
+ const char * const *additional_dns_hostnames,
bool enabled,
const char *key_file,
const char *cert_file,
@@ -84,7 +86,6 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
const char *tls_priority,
struct tstream_tls_params **_params);
NTSTATUS tstream_tls_params_server_lpcfg(TALLOC_CTX *mem_ctx,
- const char *dns_host_name,
struct loadparm_context *lp_ctx,
struct tstream_tls_params **_params);
diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index 1206bbdd58e..f91388947c2 100644
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -1516,6 +1516,7 @@ int tstream_tls_connect_recv(struct tevent_req *req,
*/
NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
const char *dns_host_name,
+ const char * const *additional_dns_hostnames,
bool enabled,
const char *key_file,
const char *cert_file,
@@ -1566,6 +1567,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
if (!file_exist(ca_file)) {
tls_cert_generate(tlsp, dns_host_name,
+ additional_dns_hostnames,
key_file, cert_file, ca_file);
}
@@ -1680,7 +1682,6 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
}
NTSTATUS tstream_tls_params_server_lpcfg(TALLOC_CTX *mem_ctx,
- const char *dns_host_name,
struct loadparm_context *lp_ctx,
struct tstream_tls_params **_tlsp)
{
@@ -1688,7 +1689,8 @@ NTSTATUS tstream_tls_params_server_lpcfg(TALLOC_CTX
*mem_ctx,
NTSTATUS status;
status = tstream_tls_params_server(mem_ctx,
- dns_host_name,
+ lpcfg_dns_hostname(lp_ctx),
+
lpcfg_additional_dns_hostnames(lp_ctx),
lpcfg_tls_enabled(lp_ctx),
lpcfg_tls_keyfile(frame, lp_ctx),
lpcfg_tls_certfile(frame, lp_ctx),
diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 69a4189dedf..08386166a55 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -39,6 +39,7 @@
*/
void tls_cert_generate(TALLOC_CTX *mem_ctx,
const char *hostname,
+ const char * const *additional_hostnames,
const char *keyfile, const char *certfile,
const char *cafile)
{
@@ -50,6 +51,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
size_t bufsize;
size_t keyidsize = sizeof(keyid);
time_t activation = time(NULL), expiry = activation + LIFETIME;
+ size_t adhn_idx;
int ret;
if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
@@ -110,6 +112,20 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
GNUTLS_OID_X520_COMMON_NAME, 0,
hostname, strlen(hostname)));
+ TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
+ hostname,
strlen(hostname),
+ GNUTLS_FSAN_SET));
+ for (adhn_idx = 0;
+ additional_hostnames != NULL &&
+ additional_hostnames[adhn_idx] != NULL;
+ adhn_idx++)
+ {
+ const char *adhn = additional_hostnames[adhn_idx];
+
+ TLSCHECK(gnutls_x509_crt_set_subject_alt_name(crt,
GNUTLS_SAN_DNSNAME,
+ adhn,
strlen(adhn),
+
GNUTLS_FSAN_APPEND));
+ }
TLSCHECK(gnutls_x509_crt_set_key(crt, key));
TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
--
Samba Shared Repository
