Comments on: openssl client does not check commonName http://www.outflux.net/blog/archives/2010/03/10/openssl-client-does-not-check-commonname/ code is freedom -- patching my itch Tue, 24 Jan 2012 19:58:01 +0000 hourly 1 http://wordpress.org/?v=3.0.5 By: Florob http://www.outflux.net/blog/archives/2010/03/10/openssl-client-does-not-check-commonname/comment-page-1/#comment-885 Florob Thu, 11 Mar 2010 13:14:10 +0000 http://www.outflux.net/blog/?p=330#comment-885 FWIW, at least for XMPP that would not be correct behaviour. The RFC explicitly states: "A server's domainpart SHOULD NOT be represented as a Common Name; instead, the Common Name field SHOULD be reserved for representation of a human-friendly name." FWIW, at least for XMPP that would not be correct behaviour. The RFC explicitly states:
“A server’s domainpart SHOULD NOT be represented as a Common Name;
instead, the Common Name field SHOULD be reserved for representation
of a human-friendly name.”

]]> By: Julien http://www.outflux.net/blog/archives/2010/03/10/openssl-client-does-not-check-commonname/comment-page-1/#comment-884 Julien Thu, 11 Mar 2010 12:17:59 +0000 http://www.outflux.net/blog/?p=330#comment-884 Well, it's not really protocol related. The RFC doesn't require such control, and since OpenSSL is an implementation of the RFC... Well, it’s not really protocol related. The RFC doesn’t require such control, and since OpenSSL is an implementation of the RFC…

]]> By: Vincent Bernat http://www.outflux.net/blog/archives/2010/03/10/openssl-client-does-not-check-commonname/comment-page-1/#comment-883 Vincent Bernat Thu, 11 Mar 2010 11:15:49 +0000 http://www.outflux.net/blog/?p=330#comment-883 I use gnutls-cli for this exact reason: $ gnutls-cli -p 443 outflux.net Resolving 'outflux.net'... Connecting to '198.145.64.173:443'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1022 bits - Peer's public key: 1024 bits - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=www.outflux.net', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org', RSA key 2048 bits, signed using RSA-SHA, activated `2010-01-04 17:17:30 UTC', expires `2010-07-03 17:17:30 UTC', SHA-1 fingerprint `1cba7d1559705ac6b461cff4a24d1d73a391804b' - The hostname in the certificate does NOT match 'outflux.net' I use gnutls-cli for this exact reason:

$ gnutls-cli -p 443 outflux.net
Resolving ‘outflux.net’…
Connecting to ’198.145.64.173:443′…
- Ephemeral Diffie-Hellman parameters
– Using prime: 1024 bits
– Secret key: 1022 bits
– Peer’s public key: 1024 bits
- Certificate type: X.509
– Got a certificate list of 1 certificates.
– Certificate[0] info:
– subject `CN=www.outflux.net’, issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org’, RSA key 2048 bits, signed using RSA-SHA, activated `2010-01-04 17:17:30 UTC’, expires `2010-07-03 17:17:30 UTC’, SHA-1 fingerprint `1cba7d1559705ac6b461cff4a24d1d73a391804b’
- The hostname in the certificate does NOT match ‘outflux.net’

]]>