[Cyberduck-trac] [Cyberduck] #2856: FTPS does not support subjectAltName attributes in SSL certificates

Cyberduck trac at trac.cyberduck.ch
Thu Jan 8 20:17:27 CET 2009 

#2856: FTPS does not support subjectAltName attributes in SSL certificates
------------------------------+---------------------------------------------
 Reporter:  brandonvalentine  |       Owner:  dkocher                                                   
     Type:  defect            |      Status:  assigned                                                  
 Priority:  normal            |   Milestone:                                                            
Component:  ftp-tls           |     Version:  3.1                                                       
 Severity:  normal            |    Keywords:  ssl, tls, subjectaltname, ucc, san, subjectalternativename
------------------------------+---------------------------------------------
Changes (by dkocher):

  * status:  new => assigned


Old description:

> I love, love, love the Cyberduck but have recently found a bug in the way
> it evaluates the trustworthiness of SSL certificates.  It checks only the
> Common Name for a match on the server name but ignores the subjectAltName
> extensions, which are a perfectly valid and common way to secure
> additional domain names under one certificate.  I'd love to see this
> added to a future Cyberduck update as the alternative is to add a bunch
> of explicit certificate trusts to your Keychain when working with sites
> secured this way.  Attached are screenshots of what Cyberduck does when
> connecting to an FTP URL which is secured in the subjectAltName of a
> certificate with a different Common Name.

New description:

 I love, love, love the Cyberduck but have recently found a bug in the way
 it evaluates the trustworthiness of SSL certificates.  It checks only the
 Common Name for a match on the server name but ignores the
 `subjectAltName` extensions, which are a perfectly valid and common way to
 secure additional domain names under one certificate.  I'd love to see
 this added to a future Cyberduck update as the alternative is to add a
 bunch of explicit certificate trusts to your Keychain when working with
 sites secured this way.  Attached are screenshots of what Cyberduck does
 when connecting to an FTP URL which is secured in the `subjectAltName` of
 a certificate with a different Common Name.

 [[Image(cyberduck1.jpg)]]
 [[Image(cyberduck2.jpg)]]

--

-- 
Ticket URL: <http://trac.cyberduck.ch/ticket/2856#comment:1>
Cyberduck <http://cyberduck.ch>
FTP, SFTP, WebDAV and Amazon S3 Browser for Mac OS X.

More information about the Cyberduck-trac mailing list