[openssl-users] Unexpected behavior in certificate hostname check
moyaldror at gmail.com
Tue Sep 18 21:27:20 UTC 2018
I'm experiencing some unexpected (in my opinion - and I might be in the
wrong here) behavior in hostname checking the OpenSSL CLI utils.
I'm trying to verify the hostname of a certificate which has CN=mysite.com
and altSubj=localhost (was generated by pyca/cryptography example -
and the check always fails on hostname mismatch.
I tried the following:
1. openssl x509 -in certificate.pem -checkhost mysite.com
2. openssl verify -verify_hostname mysite.com certificate.pem
I could see in the code that they both use X509_check_host and they both
call it with flags=0.
The thing is, that when the flags=0, X509_check_host will call
do_X509_check that will verify only the altSubjNames and not the CN in the
I tried to find a way to set the flags
to X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT using a CLI flag or config but
there is no such option.
Was it meant to work like this? am I missing something?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users