Certificate has multiple Subject Alternative Name extensions --> not accepted by Firefox

[deepsky100]

It is not possible to open the web interface via https:// with Firefox. The error message from Firefox is:

Secure connection failed
SEC_ERROR_EXTENSION_VALUE_INVALID

(Firefox 111.01 running on Ubuntu)

Tracing the issue further down, it seems that multiple extensions of Subject Alternative Name are generated but not allowed in the certificate. Instead, the DNS names need to be concatenated and included in a single SAN extension.

Steps to reproduce the behavior:

1. Install and start CUPS
2. Open Web interface via https:// in Firefox
3. Error message SEC_ERROR_EXTENSION_VALUE_INVALID in Firefox
4. Check generated certificates in /etc/cups/ssl, e.g. with sudo openssl x509 -in /etc/cups/ssl/box.crt -text
5. You will see two entries for X509v3 Subject Alternative Name:

        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:box
            X509v3 Subject Alternative Name: 
                DNS:box.local

With help of this forum entry:
openssl/openssl#11706
I was able to fix the issue in source file tls-openssl.c
Please see my patch file attached. After applying the patch, the certificate is generated with a single SAN extension and multiple entries within this SAN extension:

X509v3 Subject Alternative Name: 
                DNS:box, DNS:box.local

This certificate seems correct now and is also accepted by Firefox.

System Information:

• OS and its version: Ubuntu 22.10
• Firefox 111.01
• Latest CUPS version from master branch, commit 55f86e0

Additional context
None

patch_tls-openssl.zip

[michaelrsweet]

patch_tls-openssl.patch.txt

[zdohnal]

@michaelrsweet I get it as you reviewed the patch as well + I did a review too - I'll push the fix.