[Date Prev][Date Next] [Chronological] [Thread] [Top]

subjectAltName in certificates (was: SSL certificates, kerberos keytabs, and load balancing)

Howard Chu writes:
> The actual syntax in OpenSSL is
> 	subjectAltName=dnsName:ldap.example.com

If I read rfc2830 section 3.6 right, one must put the real hostname - or
something with '*' which matches it - as well as the 'ldap.example.com'
name in subjectAltName:dnsName, because if subjectAltName:dnsName
exists, that is to be used _instead_ of the hostname in the
certificate's CN, not in addition to the CN.

However, OpenLDAP 2.1 with OpenSSL 0.9.7 accepts a hostname which is
only in the CN and not in the existing subjectAltName:dnsName.

Is that an OpenLDAP bug, an OpenSSL bug, an rfc2830 bug, or a bug in my

Example: <ldap/ldaps>://beeblebrox.uio.no/'s certificate has
CN=beeblebrox.uio.no and subjectAltName:dnsName=ldap.uio.no.
It can be used with either hostname.