Enhancement #521: Certificates check: use only SAN for hostname matching, not CN - DuckCorp Infrastructure - DuckCorp Projects

Actions

Copy link

Enhancement #521

closed

Certificates check: use only SAN for hostname matching, not CN

Added by Marc Dequènes about 7 years ago. Updated almost 7 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Marc Dequènes

Category:

Service :: IS / AAA / PKI

Start date:

2017-04-05

Due date:

% Done:

100%

Estimated time:

Patch Available:

Confirmed:

Branch:

Entity:

DuckCorp

Security:

Help Needed:

Description

CN matching is deprecated: https://tools.ietf.org/html/rfc2818

Recently major browsers expressed their wish to eradicate it totally, so we should be ready:

Actions

Copy link

Updated by Marc Dequènes almost 7 years ago

Status changed from New to Resolved
% Done changed from 0 to 100

In fact browsers already implemented the change but we were saved because certificates old enough still had the CN matching fallback, so next cert regeneration would have caused the end of the world.

I implemented the change for all certificates, even non-web, as the logic about CN being untyped makes sense and it is now only used for human-style service name.

All certs have been regenerated and installed. After services reload/restart everything works fine, and FF as well as Chomium are happy.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DuckCorp » DuckCorp Infrastructure

Custom queries

Enhancement #521

Certificates check: use only SAN for hostname matching, not CN

Updated by Marc Dequènes almost 7 years ago