vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Various small fixes and add support for subjectAltName to the SSL cert check

Browse source
This commit is contained in:
Joseph Schorr 2015-02-12 14:00:26 -05:00
parent f107b50a46
commit 7a199f63eb
3 changed files with 24 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

20
util/config/validator.py
View file

@ -195,9 +195,23 @@ def _validate_ssl(config):
if common_name is None:
raise Exception('Missing CommonName (CN) from SSL certificate')
if not fnmatch(config['SERVER_HOSTNAME'], common_name):
raise Exception('CommonName (CN) "%s" in SSL cert does not match server hostname "%s"' %
(common_name, config['SERVER_HOSTNAME']))
# Build the list of allowed host patterns.
hosts = set([common_name])
# Find the DNS extension, if any.
for i in range(0, cert.get_extension_count()):
ext = cert.get_extension(i)
if ext.get_short_name() == 'subjectAltName':
value = str(ext)
hosts.update([host.strip()[4:] for host in value.split(',')])
# Check each host.
for host in hosts:
if fnmatch(config['SERVER_HOSTNAME'], host):
return
raise Exception('Supported names "%s" in SSL cert do not match server hostname "%s"' %
(', '.join(list(hosts)), config['SERVER_HOSTNAME']))