On Sun, Aug 29, 2004, Ralph Seichter wrote: > Dr. Stephen Henson wrote: > > > Try adding multiple subjectAltName extensions with the option "DNS". > > This is the official way to indicate a hostname putting it in CN is > > just for compatibility with legacy applications. > > I added the following options to /etc/ssl/openssl.cnf: > > commonName_default = www.domain1.org > subjectAltName = DNS:www.domain2.net, > DNS:www.domain3.com > > and I am getting an interesting error message by Mozilla Firefox. > When I try to connect to https://www.domain1.org/, Firefox tells me > that it expects a certificate for "www.domain1.org" and receives a > cert for "www.domain1.org". The host names in the error message are > identical, but Firefox is complaining anyway. :-) > > When I change openssl.cnf settings to look like this > > commonName_default = foo.domain1.org > subjectAltName = DNS:www.domain1.org, > DNS:www.domain2.net, > DNS:www.domain3.com > > the URLs > > https://www.domain1.org/ > https://www.domain2.net/ > https://www.domain3.com/ > > can be accessed using Firefox without any error messages. One could > guess that Firefox matches against CN if no DNS is available, and > against DNS without looking at CN if DNS is available. Should this > be considered being the correct behaviour? >
Other than the incorrect error message that's how it should behave. This is described in RFC2818. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
