Re: subject Alternative field check in server certificate

Wed, 26 Dec 2012 13:14:03 -0800 

On 26-12-12 17:19, Indtiny s wrote:
>  I verified the certificate with openssl command line tool  , in that I
> could see the  subject filed is NULL  and the  SubjAltNames is present .
> 
> This is valid as per the As per [RFC 5280], “If subject naming information
> is present only in the subjectAltName extension
> (e.g., a key bound only to an email address or URI), then the subject name
> MUST be an empty sequence and the subjectAltName extension MUST be critical .
> 
> When I tried  to understand the curl code for this problem Curl is calling
> “X509_get_subject_name” for retrieving “SubjectName”, if “SubjectName” field
> is empty, the curl is throwing  “SSL: couldn't get X509-subject!” error
> instead of checking for “SubjectAlternativeName extension”. ..
> 
> Is it really curl is missing to check the SubjectAlternativeName ..? if curl
> support this then how to enable the curl for checking the Subject
> Alternative name ?
> 
> Rgds
> Indra 

Hi,

I believe the RFC5280 is misinterpreted on this point and you probably meant
to point to RFC2818 with regards to the Subject Alt Name checks itself.
However, with respect to RFC5280; if there is no naming available at all,
then the Subject Name must be an empty sequence. This is to say, if you have
no motivation what so ever to follow a naming scheme of a CA.

Not having/implementing/using a Subject Name (of Subject DN) is against a
(strong) recommendation of CAB/Forum.

On the practical note I suspect more tools to cast an error on this
certificate construction. Also different SSL backends of libcurl might also
cast warnings or errors from the SSL stack itself.

What CA did you use? Was it a commercial CA?

I've considered to remove this check in the assumption Subject Alt Names are
present, but declined on a matter of best practices to always have a Subject
Name, even when not used in an RFC2818 check.


        Oscar

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to