Project

General

Profile

Enhancement #521

Certificates check: use only SAN for hostname matching, not CN

Added by Marc Dequènes about 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
Service :: IS / AAA / PKI
Start date:
2017-04-05
Due date:
% Done:

100%

Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Help Needed:

Description

History

#1 Updated by Marc Dequènes about 2 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

In fact browsers already implemented the change but we were saved because certificates old enough still had the CN matching fallback, so next cert regeneration would have caused the end of the world.

I implemented the change for all certificates, even non-web, as the logic about CN being untyped makes sense and it is now only used for human-style service name.

All certs have been regenerated and installed. After services reload/restart everything works fine, and FF as well as Chomium are happy.

Also available in: Atom PDF