Re: [openssl-users] Subject CN and SANs

Sun, 23 Dec 2018 05:51:24 -0800 

I guess its a matter of which Linux you use,

CentOS 7 doesn't give this warning;
CentOS 6 warns about this;

a Debian (don't really know which release)
uname -a
Linux a2f78 3.16.0-7-amd64 #1 SMP Debian 3.16.59-1 (2018-10-03) x86_64 GNU/Linux 
does warn ...

Walter

On 23.12.2018 13:21, Felipe Gasper wrote:

Wow that’s pretty bad .. is that the current version of httpd??

That’d be worth a big report if so, IMO, though I’d imagine it’s an issue 
they’re aware of.

-FG


On Dec 23, 2018, at 6:53 AM, Walter H.<walte...@mathemainzel.info>  wrote:


I tried the following

the certificate had a CN of    test.example.com   and in subjectAltNames dNS 
were
test.example.com  and test.example.net

when the Apache ServerName is   test.example.net  I get this warning

[Sun Dec 23 12:45:03 2018] [warn] RSA server certificate CommonName (CN) 
`test.example.com' does NOT match server name!?

so the CN matters ...

so the server behavior is something different to the behavior of the client ...

Walter


On 23.12.2018 10:44, Kyle Hamilton wrote:
Does Apache only examine CN=, or does it also check subjectAltNames dNS entries?

-Kyle H


On Sun, Dec 23, 2018 at 3:25 AM Walter H.<walte...@mathemainzel.info>   wrote:

On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:
     >    >. New certificates should only use the subjectAltName extension.


     Are any CAs actually doing that? I thought they all still included 
subject.CN.

Yes, I think commercial CA's still do it.  But that doesn't make my statement 
wrong :)


Apache raises a warning at the following condition

e.g. a virtual Host defines this:

ServerName  www.example.com:443

and the SSL certificate has a CN which does not correspond to
CN=www.example.com, e.g.  CN=example.com

then the warning looks like this

[Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909:
www.example.com:443:0 server certificate does NOT include an ID which
matches the server name

and fills up the logs

Walter

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to