Wow that’s pretty bad .. is that the current version of httpd?? That’d be worth a big report if so, IMO, though I’d imagine it’s an issue they’re aware of. -FG > On Dec 23, 2018, at 6:53 AM, Walter H. <Walter.H@xxxxxxxxxxxxxxxxx> wrote: > > > I tried the following > > the certificate had a CN of test.example.com and in subjectAltNames dNS were > test.example.com and test.example.net > > when the Apache ServerName is test.example.net I get this warning > > [Sun Dec 23 12:45:03 2018] [warn] RSA server certificate CommonName (CN) `test.example.com' does NOT match server name!? > > so the CN matters ... > > so the server behavior is something different to the behavior of the client ... > > Walter > >> On 23.12.2018 10:44, Kyle Hamilton wrote: >> Does Apache only examine CN=, or does it also check subjectAltNames dNS entries? >> >> -Kyle H >> >>> On Sun, Dec 23, 2018 at 3:25 AM Walter H.<Walter.H@xxxxxxxxxxxxxxxxx> wrote: >>>> On 23.12.2018 03:47, Salz, Rich via openssl-users wrote: >>>> > >. New certificates should only use the subjectAltName extension. >>>> >>>>> Are any CAs actually doing that? I thought they all still included subject.CN. >>>> Yes, I think commercial CA's still do it. But that doesn't make my statement wrong :) >>>> >>> Apache raises a warning at the following condition >>> >>> e.g. a virtual Host defines this: >>> >>> ServerName www.example.com:443 >>> >>> and the SSL certificate has a CN which does not correspond to >>> CN=www.example.com, e.g. CN=example.com >>> >>> then the warning looks like this >>> >>> [Fri Dec 07 07:08:19.393876 2018] [ssl:warn] [pid 29746] AH01909: >>> www.example.com:443:0 server certificate does NOT include an ID which >>> matches the server name >>> >>> and fills up the logs >>> >>> Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
