jruby-openssl icon indicating copy to clipboard operation
jruby-openssl copied to clipboard
verified publisher icon jruby

display and parse inconsistency with DNS SubjectAltNames

Open duritong opened this issue 8 years ago • 0 comments

As soon as a certificate has more than one (DNS?) SAN, jruby-openssl

a) represents them internally as multiple extensions b) the to_text also renders them as multiple entries

However, as far as I understand https://tools.ietf.org/html/rfc5280#section-4.2 an extension MUST only appear once: "A certificate MUST NOT include more than one instance of a particular extension.", which means that the representation like it is now is at least misleading, if not even completely wrong. MRI openssl returns for the same certificate only one extension, matching a string that is also expected in the other SAN test case.

This especially breaks any kind of client tools that are looking for the first extension and then try to match that content. Also the test shows an inconsistency before and after parsing.

duritong avatar Feb 08 '17 22:02 duritong