https://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422017-04-30T06:38:25ZDuckCorp ProjectsDuckCorp Infrastructure - Enhancement #521: Certificates check: use only SAN for hostname matching, not CNhttps://projects.duckcorp.org/issues/521?journal_id=11112017-04-30T06:38:25ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Resolved</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>In fact browsers already implemented the change but we were saved because certificates old enough still had the CN matching fallback, so next cert regeneration would have caused the end of the world.</p>
<p>I implemented the change for all certificates, even non-web, as the logic about CN being untyped makes sense and it is now only used for human-style service name.</p>
<p>All certs have been regenerated and installed. After services reload/restart everything works fine, and FF as well as Chomium are happy.</p>