fyi: RFC 9525 obsoletes commonName check
Steffen Nurpmeso
steffen at sdaoden.eu
Fri Nov 17 18:15:11 UTC 2023
RFC 9525 changes the way TLS certification is done:
* The server identity can only be expressed in the subjectAltNames
extension; it is no longer valid to use the commonName RDN, known
as CN-ID in [VERIFY].
Not such a big surprise as already the book "Network Security with
OpenSSL" (O'Reilly, ISBN 0-596-00270-X, June 2002; Thank you!)
states:
The common practice with X.509v1 certificates was to put the
FQDN in the certificate's commonName field of the subjectName
field. This practice is no longer recommended for new
applications since X.509v3 allows certificate extensions to hold
the FQDN as well as other identifying information, such as IP
address. The proper place for the FQDN is in the dNSName field
of the subjectAltName extension.
Nonetheless commonName is tested (and sometimes even falsely in
addition to subjectAltName, as just recently fixed for the MUA
i maintain (then removed entirely as a fixup)).
(Slightly adjusted version of an email i sent to another list some
days ago.)
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the openssl-users
mailing list