Hi,
I'm experiencing some unexpected (in my opinion - and I might be in the wrong here) behavior in hostname checking the OpenSSL CLI utils.
I'm trying to verify the hostname of a certificate which has CN=mysite.com and altSubj=localhost (was generated by pyca/cryptography example - https://cryptography.io/en/latest/x509/tutorial/#creating-a-self-signed-certificate) and the check always fails on hostname mismatch.
I tried the following:
1. openssl x509 -in certificate.pem -checkhost mysite.com
I could see in the code that they both use X509_check_host and they both call it with flags=0.
The thing is, that when the flags=0, X509_check_host will call do_X509_check that will verify only the altSubjNames and not the CN in the Subj.
I tried to find a way to set the flags to X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT using a CLI flag or config but there is no such option.
Was it meant to work like this? am I missing something?
Thanks!
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
