[openssl-users] Unexpected behavior in certificate hostname check

דרור מויל moyaldror at gmail.com
Tue Sep 18 21:27:20 UTC 2018

I'm experiencing some unexpected (in my opinion - and I might be in the
wrong here) behavior in hostname checking the OpenSSL CLI utils.
I'm trying to verify the hostname of a certificate which has CN=mysite.com
and altSubj=localhost (was generated by pyca/cryptography example -
and the check always fails on hostname mismatch.
I tried the following:
1. openssl x509 -in certificate.pem -checkhost mysite.com
2. openssl verify -verify_hostname mysite.com certificate.pem

I could see in the code that they both use X509_check_host and they both
call it with flags=0.
The thing is, that when the flags=0, X509_check_host will call
do_X509_check that will verify only the altSubjNames and not the CN in the
I tried to find a way to set the flags
to X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT using a CLI flag or config but
there is no such option.

Was it meant to work like this? am I missing something?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180919/2b01455b/attachment.html>

More information about the openssl-users mailing list