我即将为一个小型网站购买 SSL 证书。为通用名称输入“www.domainName.com”或“domainName.com”是最佳做法吗?
问问题
8436 次
1 回答
8
确保使用该subjectAltName字段,并包含您要使用的主机名的所有变体,或者如果您不确定所有变体将是什么,则使用通配符。公用名 (CN) 仅用作备份。有关详细信息,请参阅RFC 2818 :
###3.1。服务器身份
通常,HTTP/TLS 请求是通过取消引用 URI 生成的。因此,客户端知道服务器的主机名。如果主机名可用,客户端必须根据服务器证书消息中显示的服务器身份检查它,以防止中间人攻击。
如果客户端有关于服务器预期身份的外部信息,则可以省略主机名检查。(例如,客户端可能连接到一台机器,其地址和主机名是动态的,但客户端知道服务器将提供的证书。)在这种情况下,尽可能缩小可接受证书的范围很重要为了防止中间人攻击。在特殊情况下,客户端简单地忽略服务器的身份可能是合适的,但必须理解这会使连接对主动攻击开放。
如果存在 dNSName 类型的 subjectAltName 扩展,则必须将其用作身份。否则,必须使用证书主题字段中的(最具体的)通用名称字段。尽管使用通用名称是现有的做法,但它已被弃用,并且鼓励证书颁发机构使用 dNSName 代替。
使用 [RFC2459] 指定的匹配规则执行匹配。如果证书中存在多个给定类型的身份(例如,多个 dNSName 名称,则认为可以接受任何一个集合中的匹配。)名称可能包含通配符 *,该通配符被认为匹配任何单个域名组件或组件片段。例如,
*.a.com匹配foo.a.com但不匹配bar.foo.a.com。f*.com匹配foo.com但不匹配bar.com。In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
If the hostname does not match the identity in the certificate, user oriented clients MUST either notify the user (clients MAY give the user the opportunity to continue with the connection in any case) or terminate the connection with a bad certificate error. Automated clients MUST log the error to an appropriate audit log (if available) and SHOULD terminate the connection (with a bad certificate error). Automated clients MAY provide a configuration setting that disables this check, but MUST provide a setting which enables it.
Note that in many cases the URI itself comes from an untrusted source. The above-described check provides no protection against attacks where this source is compromised. For example, if the URI was obtained by clicking on an HTML page which was itself obtained without using HTTP/TLS, a man in the middle could have replaced the URI. In order to prevent this form of attack, users should carefully examine the certificate presented by the server to determine if it meets their expectations.
于 2013-03-29T21:38:09.103 回答