Il giorno 27/gen/09, alle ore 06:01, Crypto Sal ha scritto:
settings and things should be alright and you'll see if browsers
choke too or its M$ products. I would also try Thunderbird and other
email clients on the email server side of things.
Indeed, I now tried with Thunderbird and it happily accepts both
hostname and IP.
My problem is that I cannot avoid the use of Outlook and OE by users.
But maybe this is the proof that what I need cannot be done, because M
$ mail clients do not support subjectAltName? Can this really be true?
I thought SSL support was nowadays (sort of) standardized... sigh.
Can you do an s_client and dump the cert to OpenSSL's x509 and
read the cert? Do the SubjectAltNames appear in the "X509v3
Subject Alternative Name" section when doing so?
How can I dump the certificate using s_client? I can't see anything
about this in its man page.
openssl s_client -connect HOST_NAME:PORT -starttls pop3 | openssl
x509 -text -noout.
Alternatively, openssl x509 -text -noout -in YOUR_CERT_HERE, and you
can read the text output of the certificate instead of it's hashed
value
Oh yes, I often used the second one, and yes, the subjectAltName value
always appears in the right place.
Usually Outlook will display a box with a series of checks and red
X's. I am pretty sure it has three areas and in most cases it is the
last one that it fails on. I wish I had a screenshot for you. I just
saw one the other day too.
No checks or X's here. Here is the warning I get from Outlook 2007
(Italian):
http://www.mdv.eu/temp/outlook_ssl.png
Translating literally, it just tells that the "main destination name
is wrong".
--
Ciao,
Marco.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
