XoT Testing: TLS peer certificate verification failed
Klaus Darilion
klaus.darilion at nic.at
Wed Mar 5 01:44:57 UTC 2025
> -----Original Message-----
> From: Petr Špaček <pspacek at isc.org>
> Sent: Tuesday, March 4, 2025 6:11 PM
> To: Robert Wagner <rwagner at tesla.net>; Klaus Darilion
> <klaus.darilion at nic.at>
> Cc: bind-users at isc.org
> Subject: Re: XoT Testing: TLS peer certificate verification failed
>
> > I think I have solved the mistery: Bind (or openssl, who ever does the
> > validation) requires Subject Alternative Name. Regardless if using the
> > hostname or the IP address, they must be in the subject alternative
> > name. When using self-signed certificates, it is probably best to put
> > both in the SAN. Using the following certificate on the server, the
> > validation in dig works fine, regardless if using the hostname or IP
> > address.
>
> The DNS-over-TLS specification insists on this behavior. See
> https://datatracker.ietf.org/doc/html/rfc8310.html#section-8.1
>
> Quote:
> A compliant DNS client MUST only inspect the certificate's
> subjectAltName extension for the reference identifier. In
> particular, it MUST NOT inspect the Subject field itself.
Thanks for the reference. It seems I should have read the whole RFC before playing around with TLS. 😊
Regards
Klaus
More information about the bind-users
mailing list