Hi Gordon, I have tried setting the SANs of type DNS set to IP address and FQDN something like the below. [ req_ext]subjectAltName = @alt_names [alt_names]DNS.1 = <FQDN>DNS.2 = <IP> It has failed host name verification with the above configuration. Regards,Dedeepya.T
Sent from Yahoo Mail on Android On Tue, 23 Mar 2021 at 16:56, Gordon Sim<[email protected]> wrote: On 19/03/2021 16:34, Dedeepya Tunga wrote: > Hi Gordon, > Thanks a lot for the hint to use openssl for hostname verification. It helped > me to understand why hostname verification didn't work for me. > In my tests, i have generated various certificates, some of them contained > broker IP set in alternate names and others had broker FQDN set as alternate > names.It seems that hostname verification only works when connection hostname > or connection SNI is explicitly set to the certificate subject CN. > The alternate names are not taken into consideration on hostname verification. > For example, when I created a certificate with CN=FQDN and broker IP set as > alternate name, the connection to broker using IP would fail unless SNI is > set to FQDN.My expectation was that if connection host is either certificate > alternate name or certificate CN, the hostname check should pass, but it > doesn't pass when alternate names are used. It looks like proton at present does not accept SANs of type 'IP Address' rather than 'DNS' hostnames. If you specify SANs of type DNS that hold IP addresses then they seem to work. You can specify the IP address as both type IP Address and DNS. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
