SSL server X.509 certificate name and DNS name mismatch (SslCertificateFqdnMismatch)

Vuln ID: 31407
Risk Level: Medium risk vulnerability  Medium SslCertificateFqdnMismatch
Platforms: IBM AIX, Wind River BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Apache HTTP Server, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, OpenSSL OpenSSL, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X, Microsoft Windows Vista, Microsoft Internet Information Server, Microsoft Windows 7, Microsoft Windows Server 2008, Microsoft Windows Server 2008: R2, Microsoft Windows Server 2012, Microsoft Windows 8

Servers and clients use X.509 certificates when establishing communication using Secure Sockets Layer (SSL). A server authenticates with a client by the Subject commonName field and/or the SubjectAltName extension of the X.509 certificate. If either field does not match the complete name (FQDN) retrieved from the Domain Name Service (DNS), it could allow an attacker to launch a man-in-the-middle attack.


Public-facing or production server applications should be signed by a public, trusted Certificate Authority (CA) with the appropriate server and domain name(s) in the Subject commonName field and/or SubjectAltName extension.

False Positives: Complex setups, such as round-robin DNS, may cause this check to falsely report servers. In that case, the certificate validity should be manually confirmed by an administrator.
False Negatives:
Required Permission:
Additional Information:

Please note that this check can potentially be time consuming, and may greatly increase the time required to perform a scan.

References: Web site
Secure Socket Layer

ISS X-Force
SSL server X.509 certificate name and DNS name mismatch

X-Force Logo
Know Your Risks CVE Logo
Common Vulnerabilties & Exposures