AuthenticateAsClient giving RemoteCertificateNameMismatch in ValidateServerCertificate when San not matched with CN

Question

private bool ValidateServerCertificate(
             object sender,
             X509Certificate certificate,
             X509Chain chain,
             SslPolicyErrors sslPolicyErrors) {}

sslPolicyErrors is set to RemoteCertificateNameMismatch when Server Certificate is having SAN different to Common Name. ValidateServerCertificate is called when AuthenticateAsClient() Start the handshake along with server authentication.

Example: CN: server_cert SAN: DNS:test

But below settings would not give any sslPolicyErrors.

CN: server1 SAN: DNS:server1,server2

Answer 1

TLS client ignores Subject field of the certificate when SAN extension is presented. This means that you should connect to a name that is listed in SAN extension, otherwise you get TLS handshake error due to certificate validation failure.