Am 03.11.2012 06:17, wrote deepak khandelwal:
> peer end is having below Certificate with Multiple IP's in subject Alt
> name. and the remote Identifier set at local end is 188.8.131.52.
> While validating the Certificate will it consider all the IP's present
> in sub-Alt-name ?
> Or it will check the first one only and invalidate the Certificate ?
> X509v3 Subject Alternative Name:
> IP Address:10.0.0.1, IP Address:184.108.40.206
> in my testing it reports error(sub-Alt-name mismatched) if the first IP
> doesn't match with the Identifier IP.
> Also after code walk through i found the same as well. Is it a bug or
> expected behavior of racoon ?
You are right, it will only check the first subjectAltName of the
desired type (ipAddress).
All further ones are ignored.
This is definitively a bug.
The function should walk over all set subjectAltName extension elements
and check every one that is of appropriate type
Thought I had a patch for that, but I can't find it anymore... :-(