SSL - 通用名称（CN）和主题备用名称（SAN）如何协同工作？ [英] SSL - How do Common Names (CN) and Subject Alternative Names (SAN) work together?

问题描述

假设SSL证书的使用者备用名称（SAN）属性包含两个DNS名称

Assuming the Subject Alternative Name (SAN) property of a SSL certificate contains two DNS names

1. domain。 tld


2. host.domain.tld

1. domain.tld
2. host.domain.tld

但公共名称（CN）仅设置为以下两者之一： CN = domain.tld 。

but the Common Name (CN) is set to only one of both: CN=domain.tld.

• 此设置是否具有特殊含义，或者与设置两个CN相比有哪些优势？


• 服务器上发生了什么 - 如果正在请求另一个， host.domain.tld ？

• Has this setup a special meaning, or any [dis]advantages over setting both CNs?
• What happens on server-side if the other one, host.domain.tld, is being requested?

编辑：

正如Eugene的回答最近所了解的那样，行为因实现而异，我想更具体：如何 OpenSSL 0.9.8b + 处理给定的场景？

As recently learned by Eugene's answer, that the behaviour differs by implementation, I want to get more specific: how does OpenSSL 0.9.8b+ handle the given scenario?

推荐答案

这取决于实现，但一般规则是根据所有SAN和公用名检查域。如果在那里找到域，则证书可以连接。

This depends on implementation, but the general rule is that the domain is checked against all SANs and the common name. If the domain is found there, then the certificate is ok for connection.

RFC 5280 ，第4.1.2.6节说主题名称可以在主题字段和/或subjectAltName扩展名中携带。这意味着必须根据证书的SubjectAltName扩展名和Subject属性（即它的公用名参数）检查域名。这两个地方相互补充，而不是重复。而且SubjectAltName是放置其他名称的合适位置，例如 www .domain.com或 www2 .domain.com

RFC 5280, section 4.1.2.6 says "The subject name MAY be carried in the subject field and/or the subjectAltName extension". This means that the domain name must be checked against both SubjectAltName extension and Subject property (namely it's common name parameter) of the certificate. These two places complement each other, and not duplicate it. And SubjectAltName is a proper place to put additional names, such as www.domain.com or www2.domain.com

更新：根据 RFC 6125 ，发布于'2011年验证器必须首先检查SAN，如果SAN存在，则不应检查CN。请注意，RFC 6125是相对较新的，并且仍然存在颁发证书的证书和CA，其中包括CN中的主域名和SAN中的备用域名。即如果存在SAN，则通过从验证中排除CN，您可以拒绝某些其他有效的证书。

Update: as per RFC 6125, published in '2011 the validator must check SAN first, and if SAN exists, then CN should not be checked. Note, that the RFC 6125 is relatively recent and there still exist certificates and CAs that issue certificates, which include the "main" domain name in CN and alternative domain names in SAN. I.e. by excluding CN from validation if SAN is present, you can deny some otherwise valid certificate.

这篇关于SSL - 通用名称（CN）和主题备用名称（SAN）如何协同工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！