AW: RFC 9525 obsoletes commonName check

Georg Höllrigl georg.hoellrigl at gmx.at
Sat Nov 18 10:21:16 UTC 2023 

Hello,

Thank you for this piece of information. It was about time to officially obsolete CN check ...

Just some additional history here:

CN was deprecated in May 2000 - RFC 2818:
   If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity. Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used. Although
   the use of the Common Name is existing practice, it is deprecated and
   Certification Authorities are encouraged to use the dNSName instead.

In 2017 Chromium enforced use of SAN, and to my knowledge the other browsers followed:

https://chromestatus.com/feature/4981025180483584
https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/


Kind Regards,
Georg


-----Ursprüngliche Nachricht-----
Von: openssl-users <openssl-users-bounces at openssl.org> Im Auftrag von Steffen Nurpmeso
Gesendet: 17 November 2023 19:15
An: openssl-users at openssl.org
Betreff: fyi: RFC 9525 obsoletes commonName check

RFC 9525 changes the way TLS certification is done:

 *  The server identity can only be expressed in the subjectAltNames
    extension; it is no longer valid to use the commonName RDN, known
    as CN-ID in [VERIFY].

Not such a big surprise as already the book "Network Security with OpenSSL" (O'Reilly, ISBN 0-596-00270-X, June 2002; Thank you!)
states:

  The common practice with X.509v1 certificates was to put the
  FQDN in the certificate's commonName field of the subjectName
  field. This practice is no longer recommended for new
  applications since X.509v3 allows certificate extensions to hold
  the FQDN as well as other identifying information, such as IP
  address. The proper place for the FQDN is in the dNSName field
  of the subjectAltName extension.

Nonetheless commonName is tested (and sometimes even falsely in addition to subjectAltName, as just recently fixed for the MUA i maintain (then removed entirely as a fixup)).

(Slightly adjusted version of an email i sent to another list some days ago.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off (By Robert Gernhardt)

More information about the openssl-users mailing list