[Help-gnutls] gnutls_x509_crt_check_hostname()

Daniel Stenberg daniel at haxx.se
Wed Aug 12 00:04:44 CEST 2009

Hey gnutls'ers!

When I pass a cert and a hostname to the gnutls_x509_crt_check_hostname() 
function (I'm using 2.8.1-2 on a Debian Linux here), I'm seeing a problem I'd 
like your feedback on!

If the server cert has a subjectAltName field that doesn't match, but also a 
CN that matches, it seems this function happily returns OK. The way I'm 
reading RFC2818, that's not what it is supposed to do:

     If a subjectAltName extension of type dNSName is present, that MUST
     be used as the identity. Otherwise, the (most specific) Common Name
     field in the Subject field of the certificate MUST be used.

Am I wrong?


  / daniel.haxx.se

More information about the Gnutls-help mailing list