On Thu, 12 Oct 2023, Paul Wouters wrote:
It does strongly suggest you do not have a subjectAltName extension, and trusting CN= is no longer considered secure.
I should clarify this: https://datatracker.ietf.org/doc/html/rfc2818#section-3.1 If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Mostly because of the WebPKI, and things like ACME that can authenticate a DNS name or IP in a subjectAltName, but not the random data within a CN=. Also because of multiple SAN entries, the CN= is kind of losing its meaning. In the context of enduser certificates, it is obviously still very valid and also secure. Sorry for the confusion. Paul _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
