On Monday, 06 June 2022 at 12:03, Bojan Smojver via devel wrote: > Before I open a bug on this, the latest firefox/nss software that is > in F36 - is it not accepting SSL certificates without matching > subjectAlternativeName on purpose? > > I still have to complete more tests, but it seems that if SSL > certificate is issued to CN abc.example.com and if that name is not > mentioned in SAN, Firefox complains that the certificate is not for > the right domain. This is all only with most recent updates. > > Anyone else seeing similar stuff? It's not something recent. RFC2818 (HTTP over TLS) mandates this: https://datatracker.ietf.org/doc/html/rfc2818#section-3.1 If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
