validate_hostname SAN list precedence #14
Comments
|
That may be a reasonable work around in the code for broken-combatibility; but the Basic Requirements require the SAN list to contain any domain listed in the Common Name field. Whoever issued that certificate is at fault. At this point we don't think we intend to update this library, so while I'll leave this issue open, we won't be addressing it. |
|
Thank you very much for the quick answer. You are right, the certificate issuer is at fault. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi everyone,
i have a question regarding your reference implementation of validate_hostname.
A customer of mine has a server certificate with an empty SAN list, which causes the server hostname validation always to fail (MatchNotFound). The Common Name contains the correct value but is not being used if the SAN list does not contain a matching entry. I was not able to find the corresponding text snippet in the RFC 6125 to reflect this behaviour.
Wouldn't it make more sense to treat an empty SAN list like a non-existing one?
Best regards
The text was updated successfully, but these errors were encountered: