[Swan] IKE failure/Issue with Subject Alternative Name
Paul Wouters
paul at nohats.ca
Thu Oct 12 19:26:47 EEST 2023
On Thu, 12 Oct 2023, Paul Wouters wrote:
> It does strongly suggest you do not have a subjectAltName extension, and
> trusting CN= is no longer considered secure.
I should clarify this:
https://datatracker.ietf.org/doc/html/rfc2818#section-3.1
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
Mostly because of the WebPKI, and things like ACME that can authenticate
a DNS name or IP in a subjectAltName, but not the random data within a
CN=.
Also because of multiple SAN entries, the CN= is kind of losing its meaning.
In the context of enduser certificates, it is obviously still very valid
and also secure. Sorry for the confusion.
Paul
More information about the Swan
mailing list