I was just stumbling over this as well when I did the relayd: SNI diff. OK reyk
On Fri, May 10, 2019 at 1:50 PM Stuart Henderson <s...@spacehopper.org> wrote: > it's standard behaviour for web browsers to not use hostnames in > Subject at all but require SAN. current ssl(8) text suggests "some new" > and "deprecated" rather than "stopped supporting". > > comments/ok? > > > Index: ssl.8 > =================================================================== > RCS file: /cvs/src/share/man/man8/ssl.8,v > retrieving revision 1.67 > diff -u -p -r1.67 ssl.8 > --- ssl.8 25 Mar 2019 18:36:58 -0000 1.67 > +++ ssl.8 10 May 2019 11:48:41 -0000 > @@ -94,9 +94,9 @@ You can also sign the key yourself, usin > -out /etc/ssl/server.crt > .Ed > .Pp > -Note that some new browsers have deprecated using the common name of a > -certificate and require that subject alt names are provided. > -This may require the use of > +Note that standard web browsers do not use the common name of a subject, > +but instead require that subject alt names are provided. > +This requires the use of > .Ar -extfile Pa server.ext > when self-signing. > .Bd -literal -offset indent > >
