Dr. Stephen Henson wrote:
> Try adding multiple subjectAltName extensions with the option "DNS".
> This is the official way to indicate a hostname putting it in CN is
> just for compatibility with legacy applications.
I added the following options to /etc/ssl/openssl.cnf:
commonName_default = www.domain1.org
subjectAltName = DNS:www.domain2.net,
DNS:www.domain3.com
and I am getting an interesting error message by Mozilla Firefox.
When I try to connect to https://www.domain1.org/, Firefox tells me
that it expects a certificate for "www.domain1.org" and receives a
cert for "www.domain1.org". The host names in the error message are
identical, but Firefox is complaining anyway. :-)
When I change openssl.cnf settings to look like this
commonName_default = foo.domain1.org
subjectAltName = DNS:www.domain1.org,
DNS:www.domain2.net,
DNS:www.domain3.com
the URLs
https://www.domain1.org/
https://www.domain2.net/
https://www.domain3.com/
can be accessed using Firefox without any error messages. One could
guess that Firefox matches against CN if no DNS is available, and
against DNS without looking at CN if DNS is available. Should this
be considered being the correct behaviour?
--
Mit freundlichen Grüßen / Yours sincerely
Dipl. Inform. Ralph Seichter
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
