Project

General

Profile

Actions

Bug #6493

closed

OpenSSL::SSL ignores DN if subjectAltName is specified

Added by djmitche (Dustin Mitchell) almost 12 years ago. Updated over 4 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
trunk
Backport:
[ruby-core:45223]

Description

In ext/openssl/lib/openssl/ssl.rb, verify_certificate_identity seems to intentionally not check the DN if any subjectAltName extensions are found.

RFC3280 says

   The subject alternative names extension allows additional identities
   to be bound to the subject of the certificate. ...

which suggests that it contains additional identities, and thus does not exclude the subject.

This functionality was added way back in 2005, r7970:

* ext/openssl/lib/openssl/ssl.rb
  (OpenSSL::SSL::SSLSocket#post_connection_check): new method.

and moved around several times since then.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0