From: "mame (Yusuke Endoh)" <mame@...>
Date: 2013-02-18T21:46:09+09:00
Subject: [ruby-core:52454] [ruby-trunk - Bug #6493] OpenSSL::SSL ignores DN if subjectAltName is specified


Issue #6493 has been updated by mame (Yusuke Endoh).

Target version changed from 2.0.0 to next minor


----------------------------------------
Bug #6493: OpenSSL::SSL ignores DN if subjectAltName is specified
https://bugs.ruby-lang.org/issues/6493#change-36521

Author: djmitche (Dustin Mitchell)
Status: Feedback
Priority: Low
Assignee: MartinBosslet (Martin Bosslet)
Category: ext
Target version: next minor
ruby -v: trunk


In ext/openssl/lib/openssl/ssl.rb, verify_certificate_identity seems to intentionally *not* check the DN if any subjectAltName extensions are found.

RFC3280 says

<pre>
   The subject alternative names extension allows additional identities
   to be bound to the subject of the certificate. ...
</pre>

which suggests that it contains *additional* identities, and thus does not exclude the subject.

This functionality was added way back in 2005, r7970:

    * ext/openssl/lib/openssl/ssl.rb
      (OpenSSL::SSL::SSLSocket#post_connection_check): new method.

and moved around several times since then.


-- 
http://bugs.ruby-lang.org/