Actions
Bug #6493
closedOpenSSL::SSL ignores DN if subjectAltName is specified
Description
In ext/openssl/lib/openssl/ssl.rb, verify_certificate_identity seems to intentionally not check the DN if any subjectAltName extensions are found.
RFC3280 says
The subject alternative names extension allows additional identities to be bound to the subject of the certificate. ...
which suggests that it contains additional identities, and thus does not exclude the subject.
This functionality was added way back in 2005, r7970:
* ext/openssl/lib/openssl/ssl.rb
(OpenSSL::SSL::SSLSocket#post_connection_check): new method.
and moved around several times since then.
Actions
Like0
Like0Like0Like0Like0Like0