From 793be472c9d145eb9be7d4200672d1806289d84a Mon Sep 17 00:00:00 2001 From: afdy Date: Thu, 2 May 2024 08:43:15 +0100 Subject: [PATCH] update adhoc tls dev cert format single host in cn field san extension for wildcard name --- CHANGES.rst | 1 + src/werkzeug/serving.py | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 05e5acf29..279fd3f7d 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -6,6 +6,7 @@ Version 3.0.3 Unreleased - Make reloader more robust when ``""`` is in ``sys.path``. :pr:`2823` +- Better TLS cert format with ``adhoc`` dev certs. :pr:`2891` Version 3.0.2 diff --git a/src/werkzeug/serving.py b/src/werkzeug/serving.py index ad6bf911b..7f6ea922e 100644 --- a/src/werkzeug/serving.py +++ b/src/werkzeug/serving.py @@ -532,7 +532,10 @@ def generate_adhoc_ssl_pair( .not_valid_before(dt.now(timezone.utc)) .not_valid_after(dt.now(timezone.utc) + timedelta(days=365)) .add_extension(x509.ExtendedKeyUsage([x509.OID_SERVER_AUTH]), critical=False) - .add_extension(x509.SubjectAlternativeName([x509.DNSName(cn)]), critical=False) + .add_extension( + x509.SubjectAlternativeName([x509.DNSName(cn), x509.DNSName(f"*.{cn}")]), + critical=False, + ) .sign(pkey, hashes.SHA256(), backend) ) return cert, pkey @@ -560,7 +563,7 @@ def make_ssl_devcert( """ if host is not None: - cn = f"*.{host}/CN={host}" + cn = host cert, pkey = generate_adhoc_ssl_pair(cn=cn) from cryptography.hazmat.primitives import serialization