[gnutls-devel] GnuTLS | GnuTLS incorrectly accepts certificates with mismatched Common Name (CN) during TLS handshake (#1711)

[Read-only notification of GnuTLS library development activities]

Jennifer-first created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1711



## Description of problem:
During testing of GnuTLS certificate verification, we observed that gnutls-cli accepts a server certificate whose Common Name (CN) does not match the hostname of the server it connects to (localhost). This may allow a Man-in-the-Middle (MitM) attack if hostname verification is improperly implemented or omitted.[deepseek.py](/uploads/932d7a897a12f310fb2e45e8be4d59f0/deepseek.py)

## Version of gnutls used:
gnutls 3.7.3

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu

## How reproducible:

Steps to Reproduce:

 * one:python3 deepseek.py

## Actual results:
The connection succeeds and the certificate is accepted, even though the Common Name does not match the hostname. This behavior may indicate that hostname verification is either missing or not enabled by default.
![image](/uploads/f0bc9d81c4a82db00bc1d51846424854/image.png)

## Expected results:
GnuTLS should reject the certificate because the CN in the server certificate (WrongServer) does not match the target hostname (localhost).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1711
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250515/d8f32197/attachment.html>