#454 HTTP/TLS/X509: use subjectAltName to match server identity

Feature_Request
open
nobody
Net (141)
5
2014-01-13
2011-06-29
Peter Nalyvayko
No

Currently, X509 Certificate implementation uses commonName to match the server identity. However, According to RFC2818:

"If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
" [end quote]

Discussion

  • X509Certificate::verify() already works this way. First, the host name is searched for in the subjectAltName dNSName entries. If no matching entry is found there, the comparison against commonName is done (with wildcard checking). What we don't do currently is wildcard matching against subjectAltNames. There seems to be some controversy whether wildcard entries in subjectAltName dNSNames are valid at all. How do other implementations handle this?