Kevin J. McCarthy wrote in <[email protected]>: |RFC 6125 section 6.4.4 says the client should not check the |Common Name if the cert contains any DNS entries.
Note RFC 9525 completely forbids commonName, and .. now my memory is a bit flaky, but i am pretty sure i saw messages on some IETF list fly by, where people who have an idea claimed they have not seen this in quite some time. I (i created the commit on 2023-11-09, [2187cf6eff6], so likely around then i must have read all that) wrote: + /* RFC 2818, 3.1. Server Identity + * If a subjectAltName extension of type dNSName is present, that MUST + * be used as the identity. Otherwise, the (most specific) Common Name + * field in the Subject field of the certificate MUST be used. Although + * the use of the Common Name is existing practice, it is deprecated and + * Certification Authorities are encouraged to use the dNSName instead. + * + * RFC 9525: + * The server identity can only be expressed in the subjectAltNames + * extension; it is no longer valid to use the commonName RDN, known + * as CN-ID in [VERIFY=RFC 6125=predecessor]. */ --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
