> On Fri, Apr 30, 1999 at 11:28:45AM +0100, Anthony Peacock wrote:
>
> > It turns out the Netscape v4.06 or higher, requires that the CN (common
> > name) of the certificate matches the DNS name of the server. I think this
> > _is_ part of the standard, it is just that the other browsers don't complain.
> >
> > So if your URL is: https://secure.mydomain.com/
> >
> > the CN should be: secure.mydomain.com
>
> Any browser should *complain* if the DNS name is not found as either
> the CN or a subjectAltName in the certificate, but I don't think that
> the error message saying that the certificate does not allow the kind
> of operation it is used for can occur because of this. The browser
> should notify the user that the certificate is not signed by an
> accepted CA, and that the name does not match the URL, but it should
> still offer the possibility to accept the certificate.
Neither Netscape 3.01 nor IE 4.0 complained about a certificate that had
"webmaster" as the CN. However, Netscape 4.5 gives the reported error
message, ie not very informative. The error message from NS 4.5 does not
allow you to accept the certificate, it just refuses to allow connection.
I know this is the case as this is the exact symptoms I was getting and
discovering that the CN was wrong, and fixing it solved the Netscape 4.5
error.
As you say they will all complain about a certificate that isn't signed by a
"known" CA. But that is another story.
Fare Thee Well
Anthony Peacock
CHIME, UCL Medical School
E-Mail: [EMAIL PROTECTED]
WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
