Hi, I'm experiencing some unexpected (in my opinion - and I might be in the wrong here) behavior in hostname checking the OpenSSL CLI utils. I'm trying to verify the hostname of a certificate which has CN=mysite.com and altSubj=localhost (was generated by pyca/cryptography example - https://cryptography.io/en/latest/x509/tutorial/#creating-a-self-signed-certificate) and the check always fails on hostname mismatch. I tried the following: 1. openssl x509 -in certificate.pem -checkhost mysite.com 2. openssl verify -verify_hostname mysite.com certificate.pem
I could see in the code that they both use X509_check_host and they both call it with flags=0. The thing is, that when the flags=0, X509_check_host will call do_X509_check that will verify only the altSubjNames and not the CN in the Subj. I tried to find a way to set the flags to X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT using a CLI flag or config but there is no such option. Was it meant to work like this? am I missing something? Thanks!
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users