headers
Michal Suchanek | 28 May 2012 14:33
Picon

problem with hostname matching

Hello,

I have created a cert long time ago using a howto that suggested to
include the trailing dot in the domain name as good practice.

The verification with gnutls_x509_crt_check_hostname now works only
when the trailing dot is also specified in the host name.

Is this expected behaviour?

The trailing dot in the domain name should not be significant in this
case as the certificate is supposed to be issued for a fully qualified
domain name.

I am not quite sure how I would go about checking the name myself
without using the shorthand function, either.

Thanks

Michal
Permalink | Reply |
headers
Nikos Mavrogiannopoulos | 28 May 2012 23:16

Re: problem with hostname matching

On 05/28/2012 02:33 PM, Michal Suchanek wrote:

> Hello,
> 
> I have created a cert long time ago using a howto that suggested to
> include the trailing dot in the domain name as good practice.

> The verification with gnutls_x509_crt_check_hostname now works only

> when the trailing dot is also specified in the host name.

> Is this expected behaviour?

Yes. These fields are under the "preferred named syntax" of rfc1035,
that does not allow a trailing dot.

> I am not quite sure how I would go about checking the name myself
> without using the shorthand function, either.

You have to check RFC2818 which documents the procedure. You need to
read the certificate fields of subject alternative name, common name etc.

regards,
Nikos
Permalink | Reply |

Gmane