2009/9/15 Sven Anders <anders_at_anduras.de>:
> Daniel Stenberg schrieb:
>> On Tue, 15 Sep 2009, Peter Sylvester wrote:
>>
>>>> Issuer: CN=www.anduras.de
>>>>       X509v3 Subject Alternative Name:
>>>>          email:yyy_at_anduras.de
>>> can you send your certificate, the above extract looks somewhat strange.

> These are only the relevant parts of the Cert. But yes, I only have an
> additional
> E-Mail address in the "Subject Alternative Name" section.

>> To me that looks like a CN that matches and a subjectAltName that
>> doesn't match, which then by the specs should be considered not a
>> match. (Which is a bug fix we made for 7.19.6 so the previous versions
>> did wrong.)
>>
>> Or am I wrong? That subjectAltName field with an email address looks
>> funny to me.

> Yes and No. An DNS or IP entry should match, but I can have other
> entries (like email, RID, URI, otherName,...) too.
> These should not considered when trying to match.

OK, but is it OK to have Subject: C=DE,...C=Germany? Why do you have
the country in there twice? And why no CN=hostname?

Are you saying that the hostname check should not be done because
there isn't one in the certificate?

-- 
Michael Wood <esiotrot_at_gmail.com>