cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: subjectAltName does not match - Wrong test?!

From: Peter Sylvester <peter.sylvester_at_edelweb.fr>
Date: Mon, 14 Sep 2009 22:59:48 +0200

>
> I think the check should only fail, if it did not matched an *URI* field with
> the same hostname. Additional fields (with other types) should be ignored.
Its a *DNS* field, not URI, but basically it seems to me that
you are right. RFC 2818 says in detail:

   If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity. Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used. Although
   the use of the Common Name is existing practice, it is deprecated and
   Certification Authorities are encouraged to use the dNSName instead.

...

   In some cases, the URI is specified as an IP address rather than a
   hostname. In this case, the iPAddress subjectAltName must be present
   in the certificate and must exactly match the IP in the URI.

So we have at least the 3 cases defined situations:

hostname is IP address ==> must have IP altname

hostname is dns & altname dns, it must match

hostname is dns & not altname dns, "last" common name must match.
Received on 2009-09-14