Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
p_ing 2 days ago

Did browsers ever strictly require a SAN; they certainly didn't even as of ~10 years ago? Yes, it is "required", but CN only has worked for quite some time. I find this tricks up some IT admins who are still used to only supplying a CN and don't know what a SAN is.

tialaramex 2 days ago | parent [-]

> Did browsers ever strictly require a SAN;

Yes, all the popular browsers require this.

> they certainly didn't even as of ~10 years ago?

That's true, ten years ago it was likely that if a browser required this they would see unacceptably high failure rates because CAs were non-compliant and enforcement wasn't good enough. Issuing certs which would fail PKIX was prohibited, but so is speeding and yet people do that every day. CT improved our ability to inspect what was being issued and monitor fixes.

> Yes, it is "required", but CN only has worked for quite some time.

No trusted CA will issue "CN only" for many years now, if you could obtain such a certificate you'd find it won't work in any popular browser either. You can read the Chromium or Mozilla source and there just isn't any code to look in CN, the browser just parses the SANs.

> I find this tricks up some IT admins who are still used to only supplying a CN and don't know what a SAN is.

In most cases this is a sign you're using something crap like openssl's command line to make CSRs, and so you're probably expending a lot of effort filling out values which will be ignored by the CA and yet not offered parameters you did need.

p_ing 2 days ago | parent [-]

You're forgetting that browsers deal with plenty of internal-only CAs. Just because a public CA won't issue a CN only cert doesn't mean an internal CA won't. That is why I'm curious to know if browsers /strictly/ require SANs, yet. Not something I've tested in a long time since I started supporting public-only websites/cloud infra.

As you noted about OpenSSL, Windows CertSvr will allow you to do CN only, too.

tialaramex 2 days ago | parent [-]

I mean, no, I'm not forgetting that, of course your private CA can issue whatever nonsense you like, to this day - and indeed several popular CAs are designed to do just that as you noted. Certificates which ignore this rule won't work in a browser though, or in some other modern software.

Chromium published an "intent to remove" and then actually removed the CN parsing in 2017, at that point EnableCommonNameFallbackForLocalAnchors was available for people who were still catching up to policy from ~15 years ago. The policy override flag was removed in 2018, after people had long enough to fix their shit.

Mozilla had already made an equivalent change before that, maybe it worked for a few more years in Safari? I don't have a Mac so no idea.