[openssl-users] Unexpected behavior in certificate hostname check
moyaldror at gmail.com
Tue Sep 18 22:19:22 UTC 2018
On Wed, 19 Sep 2018 at 00:50, Viktor Dukhovni <openssl-users at dukhovni.org>
> > On Sep 18, 2018, at 5:27 PM, דרור מויל <moyaldror at gmail.com> wrote:
> > I'm experiencing some unexpected (in my opinion - and I might be in the
> wrong here) behavior in hostname checking the OpenSSL CLI utils.
> The default behaviour follows:
> which says:
> As noted, a client MUST NOT seek a match for a reference identifier
> of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
> URI-ID, or any application-specific identifier types supported by the
> > I'm trying to verify the hostname of a certificate which has CN=
> mysite.com and altSubj=localhost (was generated by pyca/cryptography
> example -
> and the check always fails on hostname mismatch.
> Your certificate is poorly crafted it must list all the desired domains in
> subjectAltName extension, and then may repeat one of them in the Subject
> CN as
> a fallback for legacy software.
> > The thing is, that when the flags=0, X509_check_host will call
> > that will verify only the altSubjNames and not the CN in the Subj.
> As expected.
> > I tried to find a way to set the flags to
> > using a CLI flag or config but there is no such option.
> > Was it meant to work like this? am I missing something?
> Obtain a properly crafted certificate and all will be well.
> The host flags, are not IIRC exposed via the CLI. Good luck.
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users