000018754 - When a client written with RSA BSAFE SSL-J verifies the server's certificate  does it check that the URL in certificate matches the URL of connection?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018754
Applies ToRSA BSAFE SSL-J
IssueWhen a client written with RSA BSAFE SSL-J verifies the server's certificate, does it check that the URL in certificate matches the URL of connection?
ResolutionNo explicit checking is done by the RSA BSAFE SSL-J toolkit to check if the URL in the certificate matches the URL of the connection.  Basically, if the other party has a private key corresponding to a certificate signed by a trusted CA, the CA is vouching for the holder of the keypair.

The SSL specification does not say that the URL must be present in the certificate.  Checking for that is not part of the SSL protocol.  Your application may choose to do this though (for example, a web browser may pop up a warning to tell you if the URL you entered does not match the one in the certificate, but it is not a fatal error).  

You can use the Cert-J APIs (SSL-J 3.1 relies on Cert-J 1.0) to extract the needed information from the subject name in order to compare it to the URL.
Legacy Article IDa3220

Attachments

    Outcomes