[openssl-users] Subject CN and SANs

Walter H. Walter.H at mathemainzel.info
Sun Dec 23 13:50:05 UTC 2018 

I guess its a matter of which Linux you use,

CentOS 7 doesn't give this warning;
CentOS 6 warns about this;

a Debian (don't really know which release)
uname -a
Linux a2f78 3.16.0-7-amd64 #1 SMP Debian 3.16.59-1 (2018-10-03) x86_64 
GNU/Linux
does warn ...

Walter

On 23.12.2018 13:21, Felipe Gasper wrote:
> Wow that’s pretty bad .. is that the current version of httpd??
>
> That’d be worth a big report if so, IMO, though I’d imagine it’s an issue they’re aware of.
>
> -FG
>
>> On Dec 23, 2018, at 6:53 AM, Walter H.<Walter.H at mathemainzel.info>  wrote:
>>
>>
>> I tried the following
>>
>> the certificate had a CN of    test.example.com   and in subjectAltNames dNS were
>> test.example.com  and test.example.net
>>
>> when the Apache ServerName is   test.example.net  I get this warning
>>
>> [Sun Dec 23 12:45:03 2018] [warn] RSA server certificate CommonName (CN) `test.example.com' does NOT match server name!?
>>
>> so the CN matters ...
>>
>> so the server behavior is something different to the behavior of the client ...
>>
>> Walter
>>
>>> On 23.12.2018 10:44, Kyle Hamilton wrote:
>>> Does Apache only examine CN=, or does it also check subjectAltNames dNS entries?
>>>
>>> -Kyle H
>>>
>>>> On Sun, Dec 23, 2018 at 3:25 AM Walter H.<Walter.H at mathemainzel.info>   wrote:
>>>>> On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
>>>>>      >    >. New certificates should only use the subjectAltName extension.
>>>>>
>>>>>>      Are any CAs actually doing that? I thought they all still included subject.CN.
>>>>> Yes, I think commercial CA's still do it.  But that doesn't make my statement wrong :)
>>>>>
>>>> Apache raises a warning at the following condition
>>>>
>>>> e.g. a virtual Host defines this:
>>>>
>>>> ServerName  www.example.com:443
>>>>
>>>> and the SSL certificate has a CN which does not correspond to
>>>> CN=www.example.com, e.g.  CN=example.com
>>>>
>>>> then the warning looks like this
>>>>
>>>> [Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909:
>>>> www.example.com:443:0 server certificate does NOT include an ID which
>>>> matches the server name
>>>>
>>>> and fills up the logs
>>>>
>>>> Walter
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181223/205abe62/attachment.bin>

More information about the openssl-users mailing list