Closed jogerh closed 2 years ago
forderud
commented
2 years ago The reason for using subjectAltName is to avoid "Not secure" warnings when testing from web browsers as shown in #8.
Are you able to able to avoid "Not secure" warnings without this field? If so, then I really want to learn how.
jogerh
commented
2 years ago It turns out that this is related to the Windows Internet API.
If a web client uses this API, HttpOpenRequest function can be configured to disable checking of SSL/PCT-based certificates that are returned from the server against the host name given in the request. See INTERNET_FLAG_IGNORE_CERT_CN_INVALID in https://docs.microsoft.com/en-us/windows/win32/wininet/api-flags.
I therefore think that it is the client responsibility to check the actual host name against the the Alternative Subject Name. I assume this gives a protection against stolen certificates since the certificate is tied to a specific host name.
It would be good to document why the subjectAltName is needed here. I ask because the built-in Microsoft Http Server is able to serve even if this property is missing.