Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
X509CertificateClaimSet should validate based on SAN instead of the Subject Name #321
For versions of .NET Framework > 4.6 on Desktop, we will no longer be checking certificate Subject Names for CN=host anymore; rather, we will test based on Subject Alternative Name.
Currently, we are adopting the old behaviour checking against the Subject Name (CN=host) as our test certs are not generated with SANs present (see #320).
In the wild, most certs issued should already contain SANs for the names that the server can be. We should therefore make a change in WCF for .NET Core to check certificates for SANs once #320 is resolved.
No work needed in Desktop .NET Framework - it already acts as described above. The question is whether WCF for .NET Core wants to follow Desktop 4.6+ behaviour or <= 4.5 behaviour
Removing "not yet supported" label as this is (and has been) supportable in code, just that we lacked a way to test this functionality.
Depending on the behaviour we want here, we need to make appropriate changes on the Bridge or BridgeClient sides.
We need to change the certificates that are generated depending on this design.
I think we should follow .NET 4.6 and up behaviour. To be clear, code currently checked into 4.6 is quirked to behave differently between <=4.5.x and >=4.6.