Hello, Thank you for this piece of information. It was about time to officially obsolete CN check ... Just some additional history here: CN was deprecated in May 2000 - RFC 2818: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. In 2017 Chromium enforced use of SAN, and to my knowledge the other browsers followed: https://chromestatus.com/feature/4981025180483584 https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/ Kind Regards, Georg -----Ursprüngliche Nachricht----- Von: openssl-users <openssl-users-bounces@xxxxxxxxxxx> Im Auftrag von Steffen Nurpmeso Gesendet: 17 November 2023 19:15 An: openssl-users@xxxxxxxxxxx Betreff: fyi: RFC 9525 obsoletes commonName check RFC 9525 changes the way TLS certification is done: * The server identity can only be expressed in the subjectAltNames extension; it is no longer valid to use the commonName RDN, known as CN-ID in [VERIFY]. Not such a big surprise as already the book "Network Security with OpenSSL" (O'Reilly, ISBN 0-596-00270-X, June 2002; Thank you!) states: The common practice with X.509v1 certificates was to put the FQDN in the certificate's commonName field of the subjectName field. This practice is no longer recommended for new applications since X.509v3 allows certificate extensions to hold the FQDN as well as other identifying information, such as IP address. The proper place for the FQDN is in the dNSName field of the subjectAltName extension. Nonetheless commonName is tested (and sometimes even falsely in addition to subjectAltName, as just recently fixed for the MUA i maintain (then removed entirely as a fixup)). (Slightly adjusted version of an email i sent to another list some days ago.) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off (By Robert Gernhardt)
