colecmac at protonmail.com colecmac at protonmail.com
Fri Jul 17 16:26:08 BST 2020
- - - - - - - - - - - - - - - - - - -
On the surface I think you're right, that in the TOFU world,CN shouldn't matter, and neither should subjectAltName, etc.We shouldn't even need wildcard certs, because anything should beaccepted.
However, I hope someone more knowledgeable can chime in, maybethere's an issue I'm not considering.
makeworld
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐On Friday, July 17, 2020 5:09 AM, Alex Schroeder <alex at gnu.org> wrote:
Luke Emmet writes:
I'm getting "failed to connect to the server: hostname does not
verify: x509: certificate is valid for celulinde, not
caranatar.xyz"
On Fri, 2020-07-17 at 04:20 -0400, Caranatar wrote:
Ah crap apparently none of the clients I was using to test were
actually
verifying the certificate, and I forgot to change the CN when I
copy/pasted my cert generation command from my laptop. It should be
working now...
What do other people think about this? My personal impression was that
in a trust on first use (TOFU) world, the common name (CN) of a
certificate could be anything. It could be "Alex Schroeder", for
example. Or it could be "alexschroeder.ch". Even if it was served as
the certificate for another domain, like transjovian.org. After all,
the question is only whether you "trust on first use".
My impression is that a client that tries to verify that CN and domain
match is doing it wrong. What do you think? Sadly, my SSL know-how is
weak, so any pointers to how things ought to work in a TOFU world are
appreciated.
Cheers
Alex