๐Ÿ‘ฝ clseibold

Can someone please explain to me why some gemini browsers are completely ignoring the Common Name field in certs and requiring domains to be in the Subject **ALTERNATIVE** Name (SAN) field? This feels like it's completely incorrect and broken.

11 months ago

Actions

๐Ÿ‘‹ Join Station

3 Replies

๐Ÿ‘ฝ mozz

Validating *any* X.509 field while using a TOFU scheme is incorrect and broken, but here we are ๐Ÿคทโ€. Cargo culting is a powerful force in cybersecurity. ยท 11 months ago

๐Ÿ‘ฝ clseibold

@jsreed5 I found the culprit. Apparently in 2011, there was an rfc published that said if an SAN exists, then the CN should not be checked. I don't understand why this is a thing, but it is: https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4 ยท 11 months ago

https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4

๐Ÿ‘ฝ jsreed5

The Gemini protocol specification does not require any particular information to be contained in client or server certificates. I'm guessing that vagueness is resulting in certs being handled different from server to server. ยท 11 months ago