[Help-gnutls] Re: gnutls_x509_crt_check_hostname()

Simon Josefsson simon at josefsson.org
Wed Aug 12 10:27:20 CEST 2009

Daniel Stenberg <daniel at haxx.se> writes:

> Hey gnutls'ers!
> When I pass a cert and a hostname to the
> gnutls_x509_crt_check_hostname() function (I'm using 2.8.1-2 on a
> Debian Linux here), I'm seeing a problem I'd like your feedback on!
> If the server cert has a subjectAltName field that doesn't match, but
> also a CN that matches, it seems this function happily returns OK. The
> way I'm reading RFC2818, that's not what it is supposed to do:
>     If a subjectAltName extension of type dNSName is present, that MUST
>     be used as the identity. Otherwise, the (most specific) Common Name
>     field in the Subject field of the certificate MUST be used.
> Am I wrong?

I agree with you.

Looking at the code, though, it seems that at a first glance both the
comments and the code suggests that this situation is taken into
account.  I've noticed that the code fails to check return values, so a
corrupt SAN might be skipped, but I'm not sure if that applies in your

Can you post the certificate, or create one that exhibits the same

We'll need to do a 2.8.3 shortly so if there is another problem in this
area, it would be nice to fix it at the same time.


More information about the Gnutls-help mailing list