Certificate verify in conscrypt is not follow RFC2818

Question

Certificate verify in conscrypt is not follow RFC2818

superajun-wsj opened this issue a year ago · 2 comments

If a server side's certificate with no SubjectAltNames, client side should use Common name field in the subject field. But conscrypt only check SubjectAltNames while not subject when it verifies the certificate from server side.

Per RFC 2818 section 3.1,

If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.

Answer 1 · 2023-06-09T09:25:38.000Z

RFC 2818 is over 20 years old now and the use of CN was deprecated even then, in the text you quote:

Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead

Use of CN led to many security issues over the years and starting in 2017 all the major browsers stopped allowing its use. This was followed in 2018 by okhttp, Android and Conscrypt all dropping support for CN.

Answer 2 · 2023-06-09T10:07:34.000Z

got it, thank you very much!!!