通用名称 (CN) 和主题备用名称 (SAN) 如何协同工作? [英] How do Common Names (CN) and Subject Alternative Names (SAN) work together?
问题描述
假设 SSL 证书的主题备用名称 (SAN) 属性包含两个 DNS 名称
Assuming the Subject Alternative Name (SAN) property of an SSL certificate contains two DNS names
domain.tldhost.domain.tld
但通用名称 (CN) 仅设置为两者之一:CN=domain.tld.
but the Common Name (CN) is set to only one of both: CN=domain.tld.
- 这个设置是否有特殊意义,或者比设置两个 CN 有什么[缺点]优势?
- 如果请求另一个,
host.domain.tld,服务器端会发生什么?
- Does this setup have a special meaning, or any [dis]advantages over setting both CNs?
- What happens on server-side if the other one,
host.domain.tld, is being requested?
具体来说,OpenSSL 0.9.8b+ 如何处理给定的场景?
Specifically, how does OpenSSL 0.9.8b+ handle the given scenario?
推荐答案
这取决于实现,但一般规则是根据所有 SAN 和通用名称检查域.如果在那里找到域,那么证书就可以连接了.
This depends on implementation, but the general rule is that the domain is checked against all SANs and the common name. If the domain is found there, then the certificate is ok for connection.
RFC 5280,第 4.1.2.6 节说";主题名称可以在主题字段和/或主题替代名称扩展中携带".这意味着必须根据证书的 SubjectAltName 扩展名和主题属性(即它的通用名称参数)检查域名.这两个地方相得益彰,而不是重复.并且 SubjectAltName 是放置其他名称的合适位置,例如 www.domain.com 或 www2.domain.com
RFC 5280, section 4.1.2.6 says "The subject name MAY be carried in the subject field and/or the subjectAltName extension". This means that the domain name must be checked against both SubjectAltName extension and Subject property (namely it's common name parameter) of the certificate. These two places complement each other, and not duplicate it. And SubjectAltName is a proper place to put additional names, such as www.domain.com or www2.domain.com
更新:根据 RFC 6125,发布于2011年,验证者必须先检查SAN,如果SAN存在,则不应检查CN.请注意,RFC 6125 是相对较新的,并且仍然存在颁发证书的证书和 CA,其中包括主要"证书.CN 中的域名和 SAN 中的备用域名.IE.如果存在 SAN,则通过从验证中排除 CN,您可以拒绝某些其他有效的证书.
Update: as per RFC 6125, published in 2011, the validator must check SAN first, and if SAN exists, then CN should not be checked. Note that RFC 6125 is relatively recent and there still exist certificates and CAs that issue certificates, which include the "main" domain name in CN and alternative domain names in SAN. I.e. by excluding CN from validation if SAN is present, you can deny some otherwise valid certificate.
这篇关于通用名称 (CN) 和主题备用名称 (SAN) 如何协同工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
