On 19/03/2021 16:34, Dedeepya Tunga wrote:
Hi Gordon, Thanks a lot for the hint to use openssl for hostname verification. It helped me to understand why hostname verification didn't work for me. In my tests, i have generated various certificates, some of them contained broker IP set in alternate names and others had broker FQDN set as alternate names.It seems that hostname verification only works when connection hostname orĀ connection SNI is explicitly set to the certificate subject CN. The alternate names are not taken into consideration on hostname verification. For example, when I created a certificate with CN=FQDN and broker IP set as alternate name, the connection to broker using IP would fail unless SNI is set to FQDN.My expectation was that if connection host is either certificate alternate name or certificate CN, the hostname check should pass, but it doesn't pass when alternate names are used.
It looks like proton at present does not accept SANs of type 'IP Address' rather than 'DNS' hostnames. If you specify SANs of type DNS that hold IP addresses then they seem to work. You can specify the IP address as both type IP Address and DNS.
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
