validate_hostname SAN list precedence

[ShiFoo]

Hi everyone,

i have a question regarding your reference implementation of validate_hostname.
A customer of mine has a server certificate with an empty SAN list, which causes the server hostname validation always to fail (MatchNotFound). The Common Name contains the correct value but is not being used if the SAN list does not contain a matching entry. I was not able to find the corresponding text snippet in the RFC 6125 to reflect this behaviour.
Wouldn't it make more sense to treat an empty SAN list like a non-existing one?

Best regards

[tomrittervg]

That may be a reasonable work around in the code for broken-combatibility; but the Basic Requirements require the SAN list to contain any domain listed in the Common Name field. Whoever issued that certificate is at fault.

At this point we don't think we intend to update this library, so while I'll leave this issue open, we won't be addressing it.

[ShiFoo]

Thank you very much for the quick answer.
For anybody else: I dug some more and found a stack overflow thread that references the RFCs that mention your implemented behaviour.

http://stackoverflow.com/questions/5935369/ssl-how-do-common-names-cn-and-subject-alternative-names-san-work-together

You are right, the certificate issuer is at fault.
Best regards