Certificates check: use only SAN for hostname matching, not CN
CN matching is deprecated: https://tools.ietf.org/html/rfc2818Recently major browsers expressed their wish to eradicate it totally, so we should be ready:
#1 Updated by Marc Dequènes about 2 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
In fact browsers already implemented the change but we were saved because certificates old enough still had the CN matching fallback, so next cert regeneration would have caused the end of the world.
I implemented the change for all certificates, even non-web, as the logic about CN being untyped makes sense and it is now only used for human-style service name.
All certs have been regenerated and installed. After services reload/restart everything works fine, and FF as well as Chomium are happy.