Also the examples on http://en.wikipedia.org/wiki/X.509 seem to use the same structure. So it probably depends if you specify a email address or not.
Monday, April 11, 2011, 10:23:41 AM, you wrote: > On Thu, 2011-04-07 at 17:31 +0200, Sander Eikelenboom wrote: >> Hi All, >> >> I'm trying to use Pound as a reverse proxy to multiple apache's, with SSL >> and SNI support. >> I have used the same SSL certificates with apache and nginx and they worked >> well with the servername in de Common Name field (CN). >> >> With "pound-2.6c", it doesn't work. Only one SSL certificate works, because >> the code seems to compare the wrong item from the certificate to the SNI >> servername. >> For my certificate it seems to compare the emailadres >> "[email protected]" instead of the CN "backup.eikelenboom.it" (that >> would match the SNI servername.) >> >> -- >> Sander >> >> >> The info from the certificate: >> >> root@webproxy:/etc/pound# openssl x509 -in backup.eikelenboom.it.crt -inform >> PEM -text >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 7 (0x7) >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT >> services, CN=Eikelenboom IT services CA/[email protected] >> Validity >> Not Before: May 1 16:03:45 2010 GMT >> Not After : May 1 16:03:45 2011 GMT >> Subject: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT >> services, OU=backup, >> CN=backup.eikelenboom.it/[email protected] >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> RSA Public Key: (4096 bit) >> >> <SNIP> >> >> X509v3 extensions: >> X509v3 Basic Constraints: >> CA:FALSE >> Netscape Cert Type: >> SSL Server >> Netscape Comment: >> TinyCA Generated Certificate >> X509v3 Subject Key Identifier: >> 44:4F:07:F1:66:E7:92:45:D3:4A:55:33:65:26:34:CE:D8:93:AD:09 >> X509v3 Authority Key Identifier: >> >> keyid:BA:E9:75:01:FB:61:98:25:BF:7A:BF:1D:4C:A5:34:52:62:4F:44:D7 >> DirName:/C=NL/ST=Noord-Brabant/L=Eindhoven/O=Eikelenboom IT >> services/CN=Eikelenboom IT services CA/[email protected] >> serial:A8:CF:55:3F:39:E2:FB:60 >> >> X509v3 Issuer Alternative Name: >> email:[email protected] >> X509v3 Subject Alternative Name: >> email:[email protected] >> Signature Algorithm: sha1WithRSAEncryption >> >> <SNIP> >> >> >> -- >> To unsubscribe send an email with subject unsubscribe to [email protected]. >> Please contact [email protected] for questions. > I must admit this is the first time that I see a certififcate in this > format (CN=backup.eikelenboom.it/[email protected]). Is > this a normal server certificate (as opposed to an "EMail-only" > certificate)? As a self-signed certificate, I suppose you can do > whatever you want. I am not even sure that this is legal: what exactly > is the CN? I would say it depends on what parser you use, but it could > be backup.eikelenboom.it or backup.eikelenboom.it/emailAddress or even > backup.eikelenboom.it/[email protected]. > Could people on the list please check their "official" certificates to > see if this is normal practice? -- Best regards, Sander mailto:[email protected] -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
