Hi,
Chris K and I have discovered a bug in srmcp (the client) which we
sort of suspected was a bug earlier but have now confirmed.
If the SRM host has an alias, and the host certificate is issued to the
alias, srmcp refuses to connect. In other words, srmcp appears to
look up the *canonical* name of the host and compares it to the name
in the certificate. Which is a bug. It **must** use the name in the
SURL to compare against the name in the certificate - see for example
RFC 2595 section 2.4:
http://www.rfc-editor.org/rfc/rfc2595.txt
This is a security bug because DNS is not considered secure. See
the RFC.
Moreover, the error message indicates that srmcp uses the name in the
CN of the certificate rather than that of the subjectAltName, although
we couldn't confirm this because they are of course the same. That's
more peculiar than serious, although the RFCs do say to use the s.a.n.
--jens
|