Project

General

Profile

Bug #23130

Subject Alternative Name support in SSL certificates

Added by Patryk Prus over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Expected
Assignee:
Suraj Ravichandran
Category:
Middleware
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Chrome 58 removes support for using the commonName to match a domain to certificate: https://www.chromestatus.com/features/4981025180483584
Firefox has already dropped support as of FireFox 48: https://bugzilla.mozilla.org/show_bug.cgi?id=1245280

FreeNAS currently generates certificates without a Subject Alternative Name section. Chrome 58 is currently in Beta (which is how I ran across the issue) and will probably be promoted to stable within the next month. Once released all FN-generated certificates will be rejected with NET::ERR_CERT_COMMON_NAME_INVALID.

There is a ticket open for FreeNAS Corral (https://bugs.freenas.org/issues/22926) but I wanted to request that any Corral fixes for SAN support be backported to 9.10.

Chrome 58 is currently in Beta (which is how I ran across the issue) and will probably be promoted to stable within the next month.

SSL_fail.png (83.2 KB) SSL_fail.png Patryk Prus, 04/06/2017 07:15 AM
Capture.PNG (113 KB) Capture.PNG Samuel Harmer, 05/18/2017 11:20 PM
CreateCert.png (18.2 KB) CreateCert.png Ruan Kritzinger, 07/25/2017 05:30 AM
InternalCA.png (16.3 KB) InternalCA.png Ruan Kritzinger, 07/25/2017 05:30 AM
10537
11199
11881
11882

Related issues

Has duplicate FreeNAS - Feature #23502: Add Subject Alternative Name field to certificate creation dialogue in web UIClosed: Duplicate2017-04-22

Associated revisions

Revision 8f4a2925 (diff)
Added by Suraj Ravichandran about 4 years ago

Add subjectAlternateName extension to certs and csrs. Ticket: #23130

History

#2 Updated by Bonnie Follweiler over 4 years ago

  • Assignee set to Kris Moore

#3 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Assignee changed from Kris Moore to Suraj Ravichandran
  • Priority changed from No priority to Expected
  • Target version set to 9.10.3

Suraj, we will need to get this into 9.10.3.

#4 Updated by Suraj Ravichandran over 4 years ago

  • Status changed from Unscreened to Screened

#5 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Target version changed from 9.10.3 to 9.10.4

#6 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Target version changed from 9.10.4 to 11.1

#7 Updated by Suraj Ravichandran over 4 years ago

  • Has duplicate Feature #23502: Add Subject Alternative Name field to certificate creation dialogue in web UI added

#8 Updated by Suraj Ravichandran over 4 years ago

  • Target version changed from 11.1 to 11.0

#10 Updated by Vaibhav Chauhan about 4 years ago

I will branch tonight for FreeNAS-11, can you tell me whats the status of the ticket?

#11 Updated by Suraj Ravichandran about 4 years ago

I will get this in before tonight

#12 Updated by Suraj Ravichandran about 4 years ago

  • Status changed from Screened to Needs Developer Review
  • Assignee changed from Suraj Ravichandran to William Grzybowski

when you get the time please review.

#13 Updated by William Grzybowski about 4 years ago

  • Status changed from Needs Developer Review to Reviewed
  • Assignee changed from William Grzybowski to Suraj Ravichandran

#14 Updated by Vaibhav Chauhan about 4 years ago

  • Status changed from Reviewed to Ready For Release

#15 Updated by Vaibhav Chauhan about 4 years ago

  • Target version changed from 11.0 to 11.0-RC

#16 Updated by Vaibhav Chauhan about 4 years ago

  • Status changed from Ready For Release to Resolved

#17 Updated by Eiko Wagenknecht about 4 years ago

Is this also resolved for 9.10 branch? I just updated to 9.10.3 and can not see the option in the UI. Maybe it's not there, maybe I'm looking in the wrong place..

#18 Updated by Suraj Ravichandran about 4 years ago

Nope not in 9.10....also for now just the cn is set as the correct SAN the options thing is tracked by another ticket but that too only for 11

#19 Updated by Samuel Harmer about 4 years ago

11199

Please would you patch this into 9.10-STABLE? (FreeNAS-9.10.2-U3 (e1497f269))

I have a load of certificates signed and managed using FreeNAS and now they're all useless. I would have to spin up a new CA and I really don't want to have to do that.

Furthermore, it seems even if I use --ignore-certificate-errors (Chrome Version 58.0.3029.110 (64-bit)) the page isn't rendering correctly. Not sure if the two are related though. If I use an old version of FF I happened to still have installed (43.01) still renders fine fortunately (as I have port 80 disabled on the web interface).

#20 Updated by Suraj Ravichandran about 4 years ago

Hi Samuel Harmer,

Firstly, while I can patch this into 9.10 if need be. It still will not make it so that the existing certificates would be retroactively edited.

You could at the very best reuse your existing CA to issue new certs, would that work for you.

If that satisfies your criteria, then I can request my management to consider a patch release with this fix.

In the end, my manager has to approve that.

I am sorry for your troubles, wish I could have avoided this, but I too am learning as I go with this whole certificate thing. I would like to believe that I am getting better though :-P

Thanks & Regards,

Suraj Ravichandran

#21 Updated by Andrew Meyer about 4 years ago

I second the request to backport this to 9.10. AFAIK there's no stable release of FreeNAS 11 yet, so a fix for FreeNAS 9.10 would be much appreciated.

#22 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

At the moment we are knee deep in 11.0 release cycle (Only a couple weeks out), so we can't drop things and go do a 9.10.X release. However post 11.0 if there is still some need / demand for this we can consider it.

#23 Updated by Samuel Harmer about 4 years ago

Hi Suraj, Kris,

Yep; I've seen the recent changes in direction and appreciate that everything's probably quite hectic at the moment so fair enough. I think this is one probably worth back-porting in the long-term.

Looking at ssl.py it wouldn't be hard to pass key/value pairs straight to crypto. Leave it as an advanced option in the WebUI if you like: I just want a way to add misc SANs to certs. Otherwise FreeNAS CA is perfectly fit for purpose.

Keep up the excellent work.

Regards,
Samuel

#24 Updated by Ruan Kritzinger about 4 years ago

11881
11882

I am running FreeNAS-11.0-U2 (e417d8aa5) and still do not see this feature (See screens). Apologies if I am missing the obvious, but if not please can this be corrected?

#25 Updated by Dru Lavigne about 4 years ago

Ruan: the fix was in the backend script, not the UI front-end. Are your generated certificates not working in Chrome?

#26 Updated by Suraj Ravichandran about 4 years ago

@Ruan: I have not added the ability to provide extra subject alt names in the UI.

For now, just use the common name input to do the same.

The other stuff (adding misc subject alt pairs to certs) is more "nice to have" will probably not get around to it this release cycle.

For now, just use the common name.

Thanks

Also available in: Atom PDF