AnsweredAssumed Answered

Please validate Subject Alternative Name DNS records (even when there is no problem with the current name being checked)

Question asked by Wessel van Norel on Dec 23, 2014

I've just spend quite some time investigating a reported issue with SSL connections for a client (it failed on older android versions (api < 19), but was working on newer android versions (api >= 19)). In the end it was caused by trailing spaces in the DNS names for some of the Subject Alternative Name (SAN) records. Old android clients just return no SAN records in that case, the newer allow the illegal DNS records, and they fail once you try to use one of the illegal records (as you would expect).

 

The good news is, the SSL Labs tests already lists all invalid DNS names once you use one of the records that have a trailing space. The bad news is, for valid DNS names it does not show a warning about containing Alternative names that are in fact invalid (and when you have like 90 alternative names of which only a few are invalid, it takes quite some time before people realise it's related to the SSL certificate itself...).

 

I'm not at liberty to share the example in public, and I do not have a location where I can create a test setup for this problem. Nor did I find an example of another site having the same problem.

 

So the question is: can you please validate SAN DNS records even if the current one is valid. It should only issue a warning, since it will work for the valid DNS names.

 

I'm not sure how often this happens, but it's a thing that can take quite some time before it's being detected, certainly with a large list of alternative names.

 

Thanks in advance.

Outcomes