SSL connections between the server and agent is managed by the underlying httpcomponents library. The current implementation (4.5.4) seems to prefer verifying the SAN over before verifying the CN. You can take a look at the code here <https://github.com/apache/httpcomponents-client/blob/4.5.4/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java#L109-L135> .
All of this only kicks in, if you've turned on end-to-end SSL <https://docs.gocd.org/current/installation/ssl_tls/end_to_end_transport_security.html>, otherwise everything falls back to an insecure "trust all" mode. On Tue, Jan 9, 2018 at 2:41 AM Vinod Damle <[email protected]> wrote: > Hello team, > > Does gocd support DNS name in Subject Alternative Name (if present) in > certificates? If so, > > (1) Does Subject Alternate Name take precedence over Common Name in the > Subject field of the cert? > (2) What is the basis for selection of one of many Subject Alternative > Names that maybe present? Does gocd select the entry that matches the > hostname on which it is running on (by trying each, until a match is found)? > > Thanks, > Vinod > > -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
