I use M2Crypto with both client and server have keys and certificates added, no authority!!! Now I found that field Common Name should be set to domain or anything as long as it is identical on both sides. I have problem when python scripts are sun if key don't have same Common Name field as its ip it wont work. Is there any connection between machine ip and Common Name field', cause I don't use authority?
Asked
Active
Viewed 376 times
1 Answers
0
You may be interested in this answer I gave to a similar question:
How host name verification should be done is defined in RFC 6125, which is quite recent and generalises the practice to all protocols, and replaces RFC 2818, which was specific to HTTPS. (I'm not even sure Java 7 uses RFC 6125, which might be too recent for this.)
From RFC 2818 (Section 3.1):
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
[...]In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
Essentially (at least for HTTPS, but this is also generalised to other protocols), you're not meant to put the IP address in the Common Name of your Subject DN, it should be in an IP Subject Alternative Name entry. (Some browsers are quite flexible about this.)
-
Yes, thanks but I think M2Crypto making problems. If I use something else, rather then ip of machine, for common name it raise wired exceptions. Can anybody make example of usages with client side certificate. I think that problem is in some kind of settings. – user1254814 Mar 12 '12 at 09:34