On Fri, Mar 16, 2012 at 4:14 PM, Jakob Bohm <jb-open...@wisemo.com> wrote:
> On 3/15/2012 7:04 PM, pankaj jain wrote: > >> Hi, >> I am using openssl-0.9.8 release; >> I could not find any documentation if it supports RFC-5280. >> >> basically I am looking for the answers about following capabilities: >> >> 1. While receiving a certificate can I extract the canonical hostname >> from the subjectCommonName (CN) if (and only if) it is not present in the >> subjectAltName. >> >> >> I believe all OpenSSL versions ever allow you to see both the CN > and all the subjectAltName's and make your own decisions. > > Note that whatever RFC5280 may say, the Postel principle implies > that you should accept the certificate as valid even if it has a list > of subjectAltName attributes that do not duplicate the CN, as this > appears to be the common practice in certificates currently issued > by trusted public CAs. > > -- > Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com > Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10 > <call:+4531131610> > This message is only for its intended recipient, delete if misaddressed. > WiseMo - Remote Service Management for PCs, Phones and Embedded > ______________________________**______________________________**__________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > Hi Jakob, Thanks for your response; I should have asked my question differently; basically I wanted to know the default behavior of openssl with respect to extracting the canonical hostname to verify the certificate. does it give priority to subjectAltName and use the CN if and only if subjectAltName is empty. excuse me if I am asking something obvious.
