On Mon, Apr 20, 2026 at 06:20:52PM +0200, Steffen Nurpmeso wrote:
Kevin J. McCarthy wrote in <[email protected]>: |RFC 6125 section 6.4.4 says the client should not check the |Common Name if the cert contains any DNS entries.Note RFC 9525 completely forbids commonName, and .. now my memory is a bit flaky, but i am pretty sure i saw messages on some IETF list fly by, where people who have an idea claimed they have not seen this in quite some time. I (i created the commit on 2023-11-09, [2187cf6eff6], so likely around then i must have read all that) wrote: + /* RFC 2818, 3.1. Server Identity + * If a subjectAltName extension of type dNSName is present, that MUST + * be used as the identity. Otherwise, the (most specific) Common Name + * field in the Subject field of the certificate MUST be used. Although + * the use of the Common Name is existing practice, it is deprecated and + * Certification Authorities are encouraged to use the dNSName instead. + * + * RFC 9525: + * The server identity can only be expressed in the subjectAltNames + * extension; it is no longer valid to use the commonName RDN, known + * as CN-ID in [VERIFY=RFC 6125=predecessor]. */
thank you steffen. I think for now, I will commit the change to master. It's probably safe by now to make the change, but I don't think the severity of the issue merits making the change in a stable release. -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
