Nelson B. Bolyard wrote: > > The comparison between the hostname in the URL (call it "hn") and the > name from the cert (either from the NS extension or from the subject CN > attribute, either way call it "cn") is then done as follows: > > Step 1. If hn does not contain a "dot", and cn does contain a dot, then > truncate cn at the left most dot. > > e.g. if hn is "www" and cn is "www.foo.com", truncate cn to be "www". > > Step 2. If "cn" is a regular expression (e.g. has wild card characters, > etc.) then test whether hn matches the regular expression in cn. > If so, the cert name matches, if not it is a mismatch error. > Either way, Stop here if cn is a regular expression. > > Step 3. "cn" is not a regular expression. compare the hn and cn strings. > if they match, the cert name matches, stop. > > Step 4. If hn contained a dot, compare the string to the right of the > leftmost dot in hn (that is, the domain part of hn) with the > string cn. If they match, the cert name is considered a match, stop. > > examples: > if hn is "www.foo.bar" and cn is "foo.bar", they will match. > if hn is "www.xxx.foo.bar" and cn is "foo.bar", they will not match. > > Step 5. The cert name is a mismatch. stop.
For security reasons I would be glad if you drop steps 1. and 4. Ciao, Michael.
