cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Finer control over certificate verification in SSL

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 3 Jun 2010 11:07:40 +0200 (CEST)

On Wed, 2 Jun 2010, Don Dwiggins wrote:

>> I agree. subjectAltName is what was made for exactly that kind of use case,
>> and abusing CN or doing weird comparisons is not what libcurl will do on
>> its own.
>
> Can you elaborate a bit on this? Should I then put the port number into
> subjectAltName in the cert, leaving the domain name in CN? Or should I put
> the whole thing (domainname:port) in subjectAltName and leave CN blank?

Funnily enough, they don't care about port numbers. I would say that one way
you can get around your problem is by simply adding CNAME entries for your
different servers pointing to the same IP, so that each port uses each own
name and then you add all those names in subjectAltName. Like:
port4003.example.com, port4004.example.come and port443.example.com.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-06-03