Does a cert need a Common Name matching the domain?

[colecmac at protonmail.com]

On the surface I think you're right, that in the TOFU world,
CN shouldn't matter, and neither should subjectAltName, etc.
We shouldn't even need wildcard certs, because anything should be
accepted.

However, I hope someone more knowledgeable can chime in, maybe
there's an issue I'm not considering.


makeworld

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, July 17, 2020 5:09 AM, Alex Schroeder <alex at gnu.org> wrote:

> Luke Emmet writes:
>
> > > I'm getting "failed to connect to the server: hostname does not
> > > verify: x509: certificate is valid for celulinde, not
> > > caranatar.xyz"
>
> On Fri, 2020-07-17 at 04:20 -0400, Caranatar wrote:
>
> > Ah crap apparently none of the clients I was using to test were
> > actually
> > verifying the certificate, and I forgot to change the CN when I
> > copy/pasted my cert generation command from my laptop. It should be
> > working now...
>
> What do other people think about this? My personal impression was that
> in a trust on first use (TOFU) world, the common name (CN) of a
> certificate could be anything. It could be "Alex Schroeder", for
> example. Or it could be "alexschroeder.ch". Even if it was served as
> the certificate for another domain, like transjovian.org. After all,
> the question is only whether you "trust on first use".
>
> My impression is that a client that tries to verify that CN and domain
> match is doing it wrong. What do you think? Sadly, my SSL know-how is
> weak, so any pointers to how things ought to work in a TOFU world are
> appreciated.
>
> Cheers
> Alex