ssl(8), fix text about web browsers and SAN

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl(8), fix text about web browsers and SAN

Stuart Henderson
it's standard behaviour for web browsers to not use hostnames in
Subject at all but require SAN. current ssl(8) text suggests "some new"
and "deprecated" rather than "stopped supporting".

comments/ok?


Index: ssl.8
===================================================================
RCS file: /cvs/src/share/man/man8/ssl.8,v
retrieving revision 1.67
diff -u -p -r1.67 ssl.8
--- ssl.8 25 Mar 2019 18:36:58 -0000 1.67
+++ ssl.8 10 May 2019 11:48:41 -0000
@@ -94,9 +94,9 @@ You can also sign the key yourself, usin
   -out /etc/ssl/server.crt
 .Ed
 .Pp
-Note that some new browsers have deprecated using the common name of a
-certificate and require that subject alt names are provided.
-This may require the use of
+Note that standard web browsers do not use the common name of a subject,
+but instead require that subject alt names are provided.
+This requires the use of
 .Ar -extfile Pa server.ext
 when self-signing.
 .Bd -literal -offset indent

Reply | Threaded
Open this post in threaded view
|

Re: ssl(8), fix text about web browsers and SAN

Reyk Floeter-2
I was just stumbling over this as well when I did the relayd: SNI diff.

OK reyk

On Fri, May 10, 2019 at 1:50 PM Stuart Henderson <[hidden email]>
wrote:

> it's standard behaviour for web browsers to not use hostnames in
> Subject at all but require SAN. current ssl(8) text suggests "some new"
> and "deprecated" rather than "stopped supporting".
>
> comments/ok?
>
>
> Index: ssl.8
> ===================================================================
> RCS file: /cvs/src/share/man/man8/ssl.8,v
> retrieving revision 1.67
> diff -u -p -r1.67 ssl.8
> --- ssl.8       25 Mar 2019 18:36:58 -0000      1.67
> +++ ssl.8       10 May 2019 11:48:41 -0000
> @@ -94,9 +94,9 @@ You can also sign the key yourself, usin
>    -out /etc/ssl/server.crt
>  .Ed
>  .Pp
> -Note that some new browsers have deprecated using the common name of a
> -certificate and require that subject alt names are provided.
> -This may require the use of
> +Note that standard web browsers do not use the common name of a subject,
> +but instead require that subject alt names are provided.
> +This requires the use of
>  .Ar -extfile Pa server.ext
>  when self-signing.
>  .Bd -literal -offset indent
>
>
Reply | Threaded
Open this post in threaded view
|

Re: ssl(8), fix text about web browsers and SAN

Ted Unangst-6
In reply to this post by Stuart Henderson
Stuart Henderson wrote:
> it's standard behaviour for web browsers to not use hostnames in
> Subject at all but require SAN. current ssl(8) text suggests "some new"
> and "deprecated" rather than "stopped supporting".
>
> comments/ok?

I was trying to avoid argument "but my browser still works" :) but I agree
this wording is closer to reality. ok.