From 0b85a5d82ec5c0452b13f1a828669c6cb2835796 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed, 13 Mar 2024 21:58:07 +0000
Subject: [PATCH 1/4] sign-req: Remove default server 'subject alternative
 name' SAN

Default SAN is removed from Easy-RSA.

The default SAN values provided by Easy-RSA are inadequate for purpose.

The default name is the same as 'commonName' and, therefore, not alternate.

The default IP address is a good example of "more is less".

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 2e2e60f07..482934555 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2210,25 +2210,6 @@ basicConstraints is not defined, cannot use 'pathlen'"
 		unset -v ns_cert_type
 	esac
 
-	# If type is server and no subjectAltName was
-	# requested then add one to the extensions file
-	if [ -z "$EASYRSA_EXTRA_EXTS" ]; then
-		# default server SAN
-		case "$crt_type" in
-		server|serverClient)
-			# req san or default server SAN
-			__san="$(display_san req "$req_in")"
-			if [ "$__san" ]; then
-				__san="subjectAltName = $__san"
-			else
-				__san="$(default_server_san "$req_in")"
-			fi
-			[ "$__san" ] || die "No default server SAN!"
-			export EASYRSA_EXTRA_EXTS="$__san"
-			unset -v __san
-		esac
-	fi
-
 	# Generate the extensions file for this cert:
 	ext_tmp=""
 	easyrsa_mktemp ext_tmp || \

From a42792a70144407061459eb0afeebf4e04c5426a Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed, 13 Mar 2024 22:35:39 +0000
Subject: [PATCH 2/4] Remove command 'default-san' and help text

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 482934555..4019793e1 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -458,9 +458,6 @@ These commands are safe to test and will NOT effect your PKI.
   Display SAN of certificate:
     display-san <file_name_base>
 
-  Generate default SAN of request:
-    default-san <file_name_base>
-
   Display EKU of certificate:
     show-eku <file_name_base>
 
@@ -5743,10 +5740,6 @@ Place a copy of easyrsa-tools.lib in a standard system location."
 		verify_working_env
 		display_san "$@"
 		;;
-	default-san)
-		verify_working_env
-		default_server_san "$@"
-		;;
 	x509-eku|show-eku)
 		verify_working_env
 		ssl_cert_x509v3_eku "$@" || \

From c72a9547b3faa46905becb0688fe7e34ae164cb8 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed, 13 Mar 2024 22:44:55 +0000
Subject: [PATCH 3/4] Remove unused function 'default_server_san()'

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 35 -----------------------------------
 1 file changed, 35 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 4019793e1..434be0892 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -3670,41 +3670,6 @@ display_san - input error"
 	fi
 } # => display_san()
 
-# generate default SAN from req/X509, passed by full pathname
-default_server_san() {
-	[ "$#" = 1 ] || die "\
-default_server_san - input error"
-
-	path="$1"
-	shift
-
-	# Command line support for <file_name_base>
-	if [ -e "$path" ]; then
-		: # ok
-	else
-		path="${EASYRSA_PKI}/reqs/${path}.req"
-		[ -e "$path" ] || \
-			user_error "Missing file: $path"
-	fi
-
-	# Extract CN from DN
-	cn="$(
-		easyrsa_openssl req -in "$path" -noout -subject \
-			-nameopt sep_multiline |
-				awk -F'=' '/^  *CN=/{print $2}'
-		)"
-
-	# See: https://github.com/OpenVPN/easy-rsa/issues/576
-	# Select default SAN
-	if echo "$cn" | grep -q \
-		-E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
-	then
-		print "subjectAltName = IP:$cn"
-	else
-		print "subjectAltName = DNS:$cn"
-	fi
-} # => default_server_san()
-
 # Verify certificate against CA
 verify_cert() {
 	# pull filename base:

From 0dc714124d7e3d58399ebfeac97968ab529000f8 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed, 13 Mar 2024 22:54:48 +0000
Subject: [PATCH 4/4] ChangeLog: Remove default server subject alternative name

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index 0b693c52f..48861dabe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog
 
 3.2.0 (TBD)
 
+   * Remove default server subject alternative name (0b85a5d) (#576)
    * Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080)
    * export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a)
      (#1084 - Based on #1081)