Issue #6493 has been reported by djmitche (Dustin Mitchell).

----------------------------------------
Bug #6493: OpenSSL::SSL ignores DN if subjectAltName is specified
https://bugs.ruby-lang.org/issues/6493

Author: djmitche (Dustin Mitchell)
Status: Open
Priority: Normal
Assignee: 
Category: 
Target version: 
ruby -v: trunk


In ext/openssl/lib/openssl/ssl.rb, verify_certificate_identity seems to intentionally *not* check the DN if any subjectAltName extensions are found.

RFC3280 says

<pre>
   The subject alternative names extension allows additional identities
   to be bound to the subject of the certificate. ...
</pre>

which suggests that it contains *additional* identities, and thus does not exclude the subject.

This functionality was added way back in 2005, r7970:

    * ext/openssl/lib/openssl/ssl.rb
      (OpenSSL::SSL::SSLSocket#post_connection_check): new method.

and moved around several times since then.


-- 
http://bugs.ruby-lang.org/