SSL Alternative Subject Name validation

Bart Warmerdam bartw at
Thu Aug 4 15:07:35 UTC 2016


According to src/event/ngx_event_openssl.c (line ~ 3094)

      * As per RFC6125 and RFC2818, we check subjectAltName extension,
      * and if it's not present - commonName in Subject is checked.

But according to the the validation 
this case is more restrictive:

   0  If a subjectAltName extension of type dNSName is present in the
       certificate, it SHOULD be used as the source of the server's

This means that if e.g. an email address (GEN_EMAIL) is part of the 
subjectAltName, and no DNSName is present, the CN name is never checked 
in this case. I'd expect the CN to be checked in this case. The jump to 
the failed label should only be done if there was at least one DNSName. 
Do you share this view and do you accept a patch for this?



More information about the nginx-devel mailing list