Peter Sylvester schrieb:
>> I think the check should only fail, if it did not matched an *URI*
>> field with
>> the same hostname. Additional fields (with other types) should be
>> ignored.
> Its a *DNS* field, not URI, but basically it seems to me that
> you are right. RFC 2818 says in detail:
>
> If a subjectAltName extension of type dNSName is present, that MUST
> be used as the identity. Otherwise, the (most specific) Common Name
> field in the Subject field of the certificate MUST be used. Although
> the use of the Common Name is existing practice, it is deprecated and
> Certification Authorities are encouraged to use the dNSName instead.
> ...
>
> In some cases, the URI is specified as an IP address rather than a
> hostname. In this case, the iPAddress subjectAltName must be present
> in the certificate and must exactly match the IP in the URI.
>
> So we have at least the 3 cases defined situations:
>
> hostname is IP address ==> must have IP altname
> hostname is dns & altname dns, it must match
> hostname is dns & not altname dns, "last" common name must match.
>
I tried to fix it and attached a patch for this.

I know, that my certificate is not the best and I have to renew it
anyway, but I
think the current used one should work too. Or is there a rule/RFC that
forces
the creation of an subjectAltName-dNSName field?

Regards
 Sven

-- 
 Sven Anders <anders_at_anduras.de>                 () Ascii Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS service solutions AG
 Innstraße 71 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker
Vorsitzender des Aufsichtsrats: Mark Peters