Thanks! On Wed, 19 Sep 2018 at 00:50, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote:
> > On Sep 18, 2018, at 5:27 PM, דרור מויל <moyald...@gmail.com> wrote: > > > > I'm experiencing some unexpected (in my opinion - and I might be in the > wrong here) behavior in hostname checking the OpenSSL CLI utils. > > The default behaviour follows: > > https://tools.ietf.org/html/rfc6125#section-6.4.4 > > which says: > > As noted, a client MUST NOT seek a match for a reference identifier > of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, > URI-ID, or any application-specific identifier types supported by the > client. > > > I'm trying to verify the hostname of a certificate which has CN= > mysite.com and altSubj=localhost (was generated by pyca/cryptography > example - > https://cryptography.io/en/latest/x509/tutorial/#creating-a-self-signed-certificate) > and the check always fails on hostname mismatch. > > Your certificate is poorly crafted it must list all the desired domains in > the > subjectAltName extension, and then may repeat one of them in the Subject > CN as > a fallback for legacy software. > > > The thing is, that when the flags=0, X509_check_host will call > do_X509_check > > that will verify only the altSubjNames and not the CN in the Subj. > > As expected. > > > I tried to find a way to set the flags to > X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT > > using a CLI flag or config but there is no such option. > > > > Was it meant to work like this? am I missing something? > > Obtain a properly crafted certificate and all will be well. > The host flags, are not IIRC exposed via the CLI. Good luck. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
