Re: SSL Cert Subject Name

Tue, 09 Jul 2002 14:25:19 -0700 

dhiva wrote:

> I would expect the security module of the mozilla to work like this...
> * Check the value CN value of the subject name against the host name
> (www.mozilla.org OR whatever)
>    proceed if it matches...
> * if doesn't look for the SubjectAltName extenstion
>    if not reject
>    if present scan thru the DN values against the host name
> (www.mozilla.org OR whatever)
>    if it matches proceed else reject...
> 
> I have a Cert with CN as host name and multiple host name listed  on
> SubjectAltName extension, but i am getting "Domain name mismatch warning"
> 
> someone explain please////

Easy to explain.  

Mozilla (er, PSM) doesn't presently look at SubjectAltName extensions.  

It does look for an old Netscape-defined extension with the OID 
{ 2 16 840 1 113730 1 12 } which predates the SubjectAltName extension,
and if present, the IA5String in that extension is used instead of 
the CN in the subject name. 

The comparison between the hostname in the URL (call it "hn") and the 
name from the cert (either from the NS extension or from the subject CN
attribute, either way call it "cn") is then done as follows:

Step 1.  If hn does not contain a "dot", and cn does contain a dot, then 
        truncate cn at the left most dot.

        e.g. if hn is "www" and cn is "www.foo.com", truncate cn to be "www".

Step 2.  If "cn" is a regular expression (e.g. has wild card characters,
         etc.) then test whether hn matches the regular expression in cn.  
         If so, the cert name matches, if not it is a mismatch error. 
         Either way, Stop here if cn is a regular expression.

Step 3.  "cn" is not a regular expression.  compare the hn and cn strings.
        if they match, the cert name matches, stop.  

Step 4.  If hn contained a dot, compare the string to the right of the 
        leftmost dot in hn (that is, the domain part of hn) with the 
        string cn.  If they match, the cert name is considered a match, stop.

        examples:
         if hn is "www.foo.bar" and cn is "foo.bar", they will match.
         if hn is "www.xxx.foo.bar" and cn is "foo.bar", they will not match.

Step 5. The cert name is a mismatch.  stop.

Note: the above is just a description of the function CERT_VerifyCertName
in mozilla/security/nss/lib/certdb/certdb.c

The rules followed by mozilla's regular expression code for regular 
expressions in CNs are found in the web page
http://wp.netscape.com/eng/security/ssl_2.0_certificate.html#Site
(scroll down the heading "Subject Common Name").

--
Nelson Bolyard         
Disclaimer:         I speak for myself, not for Netscape

Reply via email to