Description of problem: m2crypto-0.16-6.el5.1 in RHEL5 does not support multiple names on the same certificate. This was added in upstream version 0.18: - support multiple dNSName fields in subjectAltName - support multiple commonName fields for SSL peer hostname checking Also see this CentOS bug: http://bugs.centos.org/view.php?id=2424
Thanks for your report.
To test: * mkdir d; cd d; cp /etc/pki/tls/openssl.cnf . * edit openssl.cnf: - in [req_distinguished_name], replace commonName* with 0.commonName = server name 1 0.commonName_default = cn0.example.com 0.commonName_max = 64 1.commonName = server name 2 1.commonName_default = cn1.example.com 1.commonName_max = 64 2.commonName = server name 3 2.commonName_default = cn2.example.com 2.commonName_max = 64 - add to [v3_ca]: subjectAltName = DNS:san1.example.com, DNS:san2.example.com * openssl genrsa 1024 > mycert.key * yes '' | \ openssl req -config ./openssl.cnf -new -key mycert.key -x509 -out mycert.crt * create test.py: import sys import M2Crypto.SSL.Checker as Checker import M2Crypto.X509 as X509 def test(host, cert): c = Checker.Checker(host) try: c(cert) print 'OK' except Checker.SSLVerificationError, e: print 'Error: %s' % str(e) cert = X509.load_cert(sys.argv[1]) while True: try: host = raw_input('Host name:') except EOFError: break test(host, cert) * Test various host names by running (python test.py mycert.crt) Expected results: san[12].example.com pass, cn[012].example.com and anything else doesn't. * Remove the subjectAltName= line from openssl.cnf, generate a new key and certificate * Run (python test.py mycert.crt) Expected results: cn[012].example.com pass, nothing else does.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0041.html