Me again. Sun, Apr 08, 2007 at 11:43:07PM +0400, Eygene Ryabinkin wrote: > In the presence of the subjectAltName with the DNS > entries in it, the DNS name of the server SHOULD (if memory servers > me right: I am not able to find the reference document now) be > checked against the subjectAltName components.
RFC2818 (http://www.ietf.org/rfc/rfc2818.txt), section 3.1, "Server Identity": ----- If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com. ----- -- Eygene
