http://bugzilla.novell.com/show_bug.cgi?id=544188
User lnussel@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=544188#c10
Ludwig Nussel changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |ASSIGNED
Info Provider|lnussel@novell.com |
--- Comment #10 from Ludwig Nussel 2009-10-06 03:48:42 MDT ---
Yes, it is possible to add an arbitrary number of additional hostnames or ip
addresses to certificate (subjAltName). However, the more I think about it the
more I come to the conclusion that an autogenerated certificate just can't work
this way.
- there's no guarantee that the local hostname is resolvable or has a fqdn at
all
- /etc/HOSTNAME is likely not resolveable (linux-xyz.site)
- the system is reachable via multiple names (e.g. hostname.local for zeroconf)
- the system has an arbitrary, dynamic number of ip addresses (IPv4LL, IPv6LL,
DHCP, dial up interfaces etc ...)
It's possible to generate certificates without a CN though. The error message
of the browser then at least doesn't say it's for the wrong host. Firefox says
the certificate doesn't provide identity information then which is at least
correct information :-)
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.