Certificate Authority SAN names not working in 2.1



  • Hey Guys, It appears Subject Alternative Names are not working in the CA module for pfsense 2.1. Not sure where you wanted me to log this so I figured I would post it here.

    I added SAN names to a certificate and they display within the properties of the cert but when I try to connect using one of the SAN names I get an ssl error stating the cert does not match. When I connect using the default defined domain name it works just fine.



  • Same problem here!
    The fault is, the certificate has no "Subject Alternative Name" Attribute, all "SAN" Entries filled into "Subject" field, there is no SAN extension in the certificate.
    look at the attachments.

    Explanation to the attachments:
    1st: correct san certificate created with openssl
    2nd: incorrect san certificate created with pfsense 2.1 (part1)
    3rd: incorrect san certificate created with pfsense 2.1 (part2)

    best regards, Dave








  • No new info at this?


  • Netgate Administrator

    This appears to have been a known issue for some time:
    https://redmine.pfsense.org/issues/894

    Steve



  • Hi Stephen,

    this is not an issue, it's a feature request. pfSense 2.1 is the first version supporting additional SAN. But it isn't implemented correctly. So it wont work.

    Thanks for the Link, it looks like a bug tracking System, I'll try to raise a bug.

    Done; Bug #3347



  • I have this problem with squid 3.4: all SAN certificates are invalid.
    Is there any news about this?


  • Banned

    @tobiascapin:

    I have this problem with squid 3.4: all SAN certificates are invalid.
    Is there any news about this?

    This should be fixed in 2.2.x. (That said, not verified since we moved all certificates stuff to AD CS servers.)

    (Not sure how's squid relevant here, by using the SSL bump junk in Squid, you are breaking all certificates intentionally, SANs are the least of your concern here…  ::))



  • @doktornotor:

    (Not sure how's squid relevant here, by using the SSL bump junk in Squid, you are breaking all certificates intentionally, SANs are the least of your concern here…  ::))

    I'm under active directory, pfsense is a C.A. for all my clients, so the single-name certificate is well-working!
    My problem is the SANs certificates (facebook, gmail and so on…) because my browser recognize valid only the common name  :o
    When a website serve a certificate with CN different from its hostname the match fails, also if in the original certificate there is its hostname in the alternative names (SAN).


Log in to reply