[Help-gnutls] Re: gnutls_x509_crt_check_hostname()
simon at josefsson.org
Wed Aug 12 10:27:20 CEST 2009
Daniel Stenberg <daniel at haxx.se> writes:
> Hey gnutls'ers!
> When I pass a cert and a hostname to the
> gnutls_x509_crt_check_hostname() function (I'm using 2.8.1-2 on a
> Debian Linux here), I'm seeing a problem I'd like your feedback on!
> If the server cert has a subjectAltName field that doesn't match, but
> also a CN that matches, it seems this function happily returns OK. The
> way I'm reading RFC2818, that's not what it is supposed to do:
> If a subjectAltName extension of type dNSName is present, that MUST
> be used as the identity. Otherwise, the (most specific) Common Name
> field in the Subject field of the certificate MUST be used.
> Am I wrong?
I agree with you.
Looking at the code, though, it seems that at a first glance both the
comments and the code suggests that this situation is taken into
account. I've noticed that the code fails to check return values, so a
corrupt SAN might be skipped, but I'm not sure if that applies in your
Can you post the certificate, or create one that exhibits the same
We'll need to do a 2.8.3 shortly so if there is another problem in this
area, it would be nice to fix it at the same time.
More information about the Gnutls-help