curl-library
Re: subject Alternative field check in server certificate
Date: Wed, 26 Dec 2012 22:11:23 +0100
On 26-12-12 17:19, Indtiny s wrote:
> I verified the certificate with openssl command line tool , in that I
> could see the subject filed is NULL and the SubjAltNames is present .
>
> This is valid as per the As per [RFC 5280], “If subject naming information
> is present only in the subjectAltName extension
> (e.g., a key bound only to an email address or URI), then the subject name
> MUST be an empty sequence and the subjectAltName extension MUST be critical .
>
> When I tried to understand the curl code for this problem Curl is calling
> “X509_get_subject_name” for retrieving “SubjectName”, if “SubjectName” field
> is empty, the curl is throwing “SSL: couldn't get X509-subject!” error
> instead of checking for “SubjectAlternativeName extension”. ..
>
> Is it really curl is missing to check the SubjectAlternativeName ..? if curl
> support this then how to enable the curl for checking the Subject
> Alternative name ?
>
> Rgds
> Indra
Hi,
I believe the RFC5280 is misinterpreted on this point and you probably meant
to point to RFC2818 with regards to the Subject Alt Name checks itself.
However, with respect to RFC5280; if there is no naming available at all,
then the Subject Name must be an empty sequence. This is to say, if you have
no motivation what so ever to follow a naming scheme of a CA.
Not having/implementing/using a Subject Name (of Subject DN) is against a
(strong) recommendation of CAB/Forum.
On the practical note I suspect more tools to cast an error on this
certificate construction. Also different SSL backends of libcurl might also
cast warnings or errors from the SSL stack itself.
What CA did you use? Was it a commercial CA?
I've considered to remove this check in the assumption Subject Alt Names are
present, but declined on a matter of best practices to always have a Subject
Name, even when not used in an RFC2818 check.
Oscar
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature