BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes

The problem is that the certificate is generated with a CN greater than
64 bytes when the SNI is too long, which is not suppose to be supported,
and will end up with a handshake failure.

The patch fixes the issue by avoiding to add a CN when the SNI is longer than
64 bytes. Indeed this is not a mandatory field anymore and was deprecated more
than 20 years ago. The SAN DNS is enough for this case.

Must be backported in every stable branches.

reg-tests/ssl/ssl_generate_certificate.vtc

@@ -150,7 +150,7 @@ client c5 -connect ${h1_clearlst_sock} {
 # Use another SNI - the server certificate should be generated and different
 # than the default one
 client c6 -connect ${h1_clearlst_sock} {
-  txreq -url "/P-384" -hdr "x-sni: unknown-sni.com"
+  txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer-sni-longer-than-64-bytes-unknown-sni.com"
   rxresp
   expect resp.status == 200
   expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"

src/ssl_gencert.c

@@ -141,11 +141,14 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf
 
 	/* Set the subject name using the same, but the CN */
 	name = X509_NAME_dup(name);
-	if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
-				       (const unsigned char *)servername,
-				       -1, -1, 0) != 1) {
-		X509_NAME_free(name);
-		goto mkcert_error;
+
+	if (strlen(servername) <= 64) {
+		if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+		                              (const unsigned char *)servername,
+		                              -1, -1, 0) != 1) {
+			X509_NAME_free(name);
+			goto mkcert_error;
+		}
 	}
 	if (X509_set_subject_name(newcrt, name) != 1) {
 		X509_NAME_free(name);