I tried the followingthe certificate had a CN of test.example.com and in subjectAltNames dNS were
test.example.com and test.example.net when the Apache ServerName is test.example.net I get this warning[Sun Dec 23 12:45:03 2018] [warn] RSA server certificate CommonName (CN) `test.example.com' does NOT match server name!?
so the CN matters ...so the server behavior is something different to the behavior of the client ...
Walter On 23.12.2018 10:44, Kyle Hamilton wrote:
Does Apache only examine CN=, or does it also check subjectAltNames dNS entries? -Kyle H On Sun, Dec 23, 2018 at 3:25 AM Walter H.<Walter.H@xxxxxxxxxxxxxxxxx> wrote:On 23.12.2018 03:47, Salz, Rich via openssl-users wrote:> >. New certificates should only use the subjectAltName extension.Are any CAs actually doing that? I thought they all still included subject.CN.Yes, I think commercial CA's still do it. But that doesn't make my statement wrong :)Apache raises a warning at the following condition e.g. a virtual Host defines this: ServerName www.example.com:443 and the SSL certificate has a CN which does not correspond to CN=www.example.com, e.g. CN=example.com then the warning looks like this [Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name and fills up the logs Walter
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
