[openssl-users] Problem with certificate check when it does not match CN

Viktor Dukhovni openssl-users at dukhovni.org
Sun Dec 18 22:08:00 UTC 2016

> On Dec 18, 2016, at 4:52 PM, Brice André <brice at famille-andre.be> wrote:
> I know that the current certificate is the old one, but this
> is because my service is in production.
> I tested new certificate this evening to limit the number of
> impacted clients. And as it did not worked, i reinstalled
> previous certificate waiting a solution for the new one.
> If it may help, i can install the new cerrificate on a
> test site.

Either that, or post a problem report that contains detailed
technical information, rather than a hand-waving story.

What version of OpenSSL are you using?  What O/S platform?
What certificate stores did you configure in your OpenSSL
client.  Which pertinent certificates (post these) did you
ensure are contained in that store.

What certificate chain is returned by the server?
Post the output of:

   $ (sleep 2; exit) |
        openssl s_client -showcerts -connect <name>:<port> 2>&1 |
	openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
	openssl pkcs7 -print_certs | tee chain.pem

Copy the trusted roots into a file named trusted.pem, then
make sure the server's chain validates:

   $ openssl verify -trusted trusted.pem -untrusted chain.pem chain.pem

(post the output...).  [ By the way, your problem is not a bug in DNS
subjectAltName processing in OpenSSL.  Either your server configuration
or client code is in error, if you present sufficient detail, it will
be possible to help you determine which. ]


More information about the openssl-users mailing list