[Help-gnutls] gnutls_x509_crt_check_hostname()
Daniel Stenberg
daniel at haxx.se
Wed Aug 12 00:04:44 CEST 2009
Hey gnutls'ers!
When I pass a cert and a hostname to the gnutls_x509_crt_check_hostname()
function (I'm using 2.8.1-2 on a Debian Linux here), I'm seeing a problem I'd
like your feedback on!
If the server cert has a subjectAltName field that doesn't match, but also a
CN that matches, it seems this function happily returns OK. The way I'm
reading RFC2818, that's not what it is supposed to do:
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used.
Am I wrong?
--
/ daniel.haxx.se
More information about the Gnutls-help
mailing list