From: "drbrain (Eric Hodel)" <drbrain@...7.net>
Date: 2012-05-25T08:23:07+09:00
Subject: [ruby-core:45226] [ruby-trunk - Bug #6493][Assigned] OpenSSL::SSL ignores DN if subjectAltName is specified


Issue #6493 has been updated by drbrain (Eric Hodel).

Category set to ext
Status changed from Open to Assigned
Assignee set to MartinBosslet (Martin Bosslet)
Target version set to 2.0.0


----------------------------------------
Bug #6493: OpenSSL::SSL ignores DN if subjectAltName is specified
https://bugs.ruby-lang.org/issues/6493#change-26808

Author: djmitche (Dustin Mitchell)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext
Target version: 2.0.0
ruby -v: trunk


In ext/openssl/lib/openssl/ssl.rb, verify_certificate_identity seems to intentionally *not* check the DN if any subjectAltName extensions are found.

RFC3280 says

<pre>
   The subject alternative names extension allows additional identities
   to be bound to the subject of the certificate. ...
</pre>

which suggests that it contains *additional* identities, and thus does not exclude the subject.

This functionality was added way back in 2005, r7970:

    * ext/openssl/lib/openssl/ssl.rb
      (OpenSSL::SSL::SSLSocket#post_connection_check): new method.

and moved around several times since then.


-- 
http://bugs.ruby-lang.org/