On 09/15/2014 01:44 PM, Alexey Klyukin wrote:
>>> Committed, with that change, ie. the CN is not checked if SANs are present.
>
> Actually, I disagree with the way the patch ignores the CN. Currently,
> it skips the
> CN unconditionally if the SubjectAltName section is present. But what
> RFC 6125 says
> is:
>
> "If a subjectAltName extension of type dNSName is present, that MUST
> be used as the identity. Otherwise, the (most specific) Common Name
> field in the Subject field of the certificate MUST be used."
>
> This means that we have to check that at least one dNSName resource is
> present before
> rejecting to examine the CN. Attached is a one-liner (excluding
> comments) that fixes this.
Ok, good catch. Fixed.
- Heikki