[openssl-users] Unexpected behavior in certificate hostname check

דרור מויל moyaldror at gmail.com
Tue Sep 18 22:19:22 UTC 2018


Thanks!

On Wed, 19 Sep 2018 at 00:50, Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:

> > On Sep 18, 2018, at 5:27 PM, ⁨דרור מויל⁩ <⁨moyaldror at gmail.com⁩> wrote:
> >
> > I'm experiencing some unexpected (in my opinion - and I might be in the
> wrong here) behavior in hostname checking the OpenSSL CLI utils.
>
> The default behaviour follows:
>
>    https://tools.ietf.org/html/rfc6125#section-6.4.4
>
> which says:
>
>    As noted, a client MUST NOT seek a match for a reference identifier
>    of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
>    URI-ID, or any application-specific identifier types supported by the
>    client.
>
> > I'm trying to verify the hostname of a certificate which has CN=
> mysite.com and altSubj=localhost (was generated by pyca/cryptography
> example -
> https://cryptography.io/en/latest/x509/tutorial/#creating-a-self-signed-certificate)
> and the check always fails on hostname mismatch.
>
> Your certificate is poorly crafted it must list all the desired domains in
> the
> subjectAltName extension, and then may repeat one of them in the Subject
> CN as
> a fallback for legacy software.
>
> > The thing is, that when the flags=0, X509_check_host will call
> do_X509_check
> > that will verify only the altSubjNames and not the CN in the Subj.
>
> As expected.
>
> > I tried to find a way to set the flags to
> X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
> > using a CLI flag or config but there is no such option.
> >
> > Was it meant to work like this? am I missing something?
>
> Obtain a properly crafted certificate and all will be well.
> The host flags, are not IIRC exposed via the CLI.  Good luck.
>
> --
>         Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180919/052ecbdb/attachment-0001.html>


More information about the openssl-users mailing list