Daniel Stenberg <[email protected]> writes: > Hey gnutls'ers! > > When I pass a cert and a hostname to the > gnutls_x509_crt_check_hostname() function (I'm using 2.8.1-2 on a > Debian Linux here), I'm seeing a problem I'd like your feedback on! > > If the server cert has a subjectAltName field that doesn't match, but > also a CN that matches, it seems this function happily returns OK. The > way I'm reading RFC2818, that's not what it is supposed to do: > > If a subjectAltName extension of type dNSName is present, that MUST > be used as the identity. Otherwise, the (most specific) Common Name > field in the Subject field of the certificate MUST be used. > > Am I wrong?
I agree with you. Looking at the code, though, it seems that at a first glance both the comments and the code suggests that this situation is taken into account. I've noticed that the code fails to check return values, so a corrupt SAN might be skipped, but I'm not sure if that applies in your situation. Can you post the certificate, or create one that exhibits the same problem? We'll need to do a 2.8.3 shortly so if there is another problem in this area, it would be nice to fix it at the same time. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
