SSL Alternative Subject Name validation
Bart Warmerdam
bartw at xs4all.nl
Thu Aug 4 15:07:35 UTC 2016
Hello,
According to src/event/ngx_event_openssl.c (line ~ 3094)
/*
* As per RFC6125 and RFC2818, we check subjectAltName extension,
* and if it's not present - commonName in Subject is checked.
*/
But according to the https://tools.ietf.org/html/rfc6125 the validation
this case is more restrictive:
0 If a subjectAltName extension of type dNSName is present in the
certificate, it SHOULD be used as the source of the server's
identity.
This means that if e.g. an email address (GEN_EMAIL) is part of the
subjectAltName, and no DNSName is present, the CN name is never checked
in this case. I'd expect the CN to be checked in this case. The jump to
the failed label should only be done if there was at least one DNSName.
Do you share this view and do you accept a patch for this?
Regards,
B.
More information about the nginx-devel
mailing list