> On Sep 18, 2018, at 5:27 PM, דרור מויל <moyaldror@xxxxxxxxx> wrote: > > I'm experiencing some unexpected (in my opinion - and I might be in the wrong here) behavior in hostname checking the OpenSSL CLI utils. The default behaviour follows: https://tools.ietf.org/html/rfc6125#section-6.4.4 which says: As noted, a client MUST NOT seek a match for a reference identifier of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types supported by the client. > I'm trying to verify the hostname of a certificate which has CN=mysite.com and altSubj=localhost (was generated by pyca/cryptography example - https://cryptography.io/en/latest/x509/tutorial/#creating-a-self-signed-certificate) and the check always fails on hostname mismatch. Your certificate is poorly crafted it must list all the desired domains in the subjectAltName extension, and then may repeat one of them in the Subject CN as a fallback for legacy software. > The thing is, that when the flags=0, X509_check_host will call do_X509_check > that will verify only the altSubjNames and not the CN in the Subj. As expected. > I tried to find a way to set the flags to X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT > using a CLI flag or config but there is no such option. > > Was it meant to work like this? am I missing something? Obtain a properly crafted certificate and all will be well. The host flags, are not IIRC exposed via the CLI. Good luck. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
