[openssl-users] Subject CN and SANs

[Felipe Gasper]

Wow that’s pretty bad .. is that the current version of httpd??

That’d be worth a big report if so, IMO, though I’d imagine it’s an issue they’re aware of.

-FG

> On Dec 23, 2018, at 6:53 AM, Walter H. <Walter.H at mathemainzel.info> wrote:
> 
> 
> I tried the following
> 
> the certificate had a CN of    test.example.com   and in subjectAltNames dNS were
> test.example.com  and test.example.net
> 
> when the Apache ServerName is   test.example.net  I get this warning
> 
> [Sun Dec 23 12:45:03 2018] [warn] RSA server certificate CommonName (CN) `test.example.com' does NOT match server name!?
> 
> so the CN matters ...
> 
> so the server behavior is something different to the behavior of the client ...
> 
> Walter
> 
>> On 23.12.2018 10:44, Kyle Hamilton wrote:
>> Does Apache only examine CN=, or does it also check subjectAltNames dNS entries?
>> 
>> -Kyle H
>> 
>>> On Sun, Dec 23, 2018 at 3:25 AM Walter H.<Walter.H at mathemainzel.info>  wrote:
>>>> On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
>>>>     >   >. New certificates should only use the subjectAltName extension.
>>>> 
>>>>>     Are any CAs actually doing that? I thought they all still included subject.CN.
>>>> Yes, I think commercial CA's still do it.  But that doesn't make my statement wrong :)
>>>> 
>>> Apache raises a warning at the following condition
>>> 
>>> e.g. a virtual Host defines this:
>>> 
>>> ServerName  www.example.com:443
>>> 
>>> and the SSL certificate has a CN which does not correspond to
>>> CN=www.example.com, e.g.  CN=example.com
>>> 
>>> then the warning looks like this
>>> 
>>> [Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909:
>>> www.example.com:443:0 server certificate does NOT include an ID which
>>> matches the server name
>>> 
>>> and fills up the logs
>>> 
>>> Walter
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users