mux: augment PKI SAN list with getaddrinfo AI_CANONNAME

This should hopefully make things a bit easier to consume for remote clients. refs: #5543
wez · Jul 15, 2024 · c911683 · c911683
1 parent ae9cdad
commit c911683
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/docs/changelog.md b/docs/changelog.md
@@ -95,6 +95,9 @@ As features stabilize some brief notes about them will accumulate here.
   with an ssh session. Thanks to @daaku! #5494 #5479
 * `default_ssh_domains()` didn't use the default local echo threshold
   for ssh domains. #5547
+* multiplexer: internal PKI certificate now supplements its list of
+  "Subject Alternative Names" with the list of canonical hostnames returned
+  for the local system via `getaddrinfo`. #5543
 
 #### Updated
 * Bundled conpty.dll and OpenConsole.exe to build 1.19.240130002.nupkg

diff --git a/wezterm-mux-server-impl/Cargo.toml b/wezterm-mux-server-impl/Cargo.toml
@@ -13,9 +13,11 @@ async_ossl = { path = "../async_ossl" }
 async-io = "2.3"
 codec = { path = "../codec" }
 config = { path = "../config" }
+dns-lookup = "2.0"
 futures = "0.3"
 hostname = "0.4"
 lazy_static = "1.4"
+libc = "0.2"
 log = "0.4"
 mux = { path = "../mux" }
 portable-pty = { path = "../pty", features = ["serde_support"]}

diff --git a/wezterm-mux-server-impl/src/pki.rs b/wezterm-mux-server-impl/src/pki.rs
@@ -1,6 +1,10 @@
 use anyhow::{anyhow, Context as _};
+#[cfg(unix)]
+use libc::{AF_UNSPEC, AI_CANONNAME, SOCK_DGRAM};
 use rcgen::{BasicConstraints, Certificate, CertificateParams, DistinguishedName, DnType, IsCa};
 use std::path::PathBuf;
+#[cfg(windows)]
+use winapi::shared::ws2def::{AF_UNSPEC, AI_CANONNAME, SOCK_DGRAM};
 
 /// A helper for managing keys for the TLS server component.
 /// Each time the server is started, a new CA is generated
@@ -22,14 +26,35 @@ impl Pki {
     pub fn init() -> anyhow::Result<Self> {
         let pki_dir = config::pki_dir()?;
         std::fs::create_dir_all(&pki_dir)?;
-        log::error!("runtime dir is {}", pki_dir.display());
-
-        let alt_names = vec![
-            hostname::get()?
-                .into_string()
-                .map_err(|_| anyhow!("hostname is not representable as unicode"))?,
-            "localhost".to_owned(),
-        ];
+        log::debug!("pki dir is {}", pki_dir.display());
+
+        let hostname = hostname::get()?
+            .into_string()
+            .map_err(|_| anyhow!("hostname is not representable as unicode"))?;
+
+        let mut alt_names = vec![hostname.clone(), "localhost".to_owned()];
+
+        let hints = dns_lookup::AddrInfoHints {
+            flags: AI_CANONNAME,
+            address: AF_UNSPEC,
+            socktype: SOCK_DGRAM,
+            protocol: 0,
+        };
+
+        if let Ok(iter) = dns_lookup::getaddrinfo(Some(&hostname), None, Some(hints)) {
+            for entry in iter {
+                if let Ok(entry) = entry {
+                    if let Some(canon) = entry.canonname {
+                        alt_names.push(canon);
+                    }
+                }
+            }
+        }
+
+        alt_names.sort();
+        alt_names.dedup();
+        log::debug!("generating cert with alt_names={alt_names:?}");
+
         let unix_name = config::username_from_env()?;
 
         // Create the CA certificate