[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5938) tls.c does not conform to RFC 4513

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5938) tls.c does not conform to RFC 4513
From: Kurt@OpenLDAP.org
Date: Tue, 10 Feb 2009 16:31:54 GMT

On Feb 10, 2009, at 8:29 AM, h.b.furuseth@usit.uio.no wrote:

> quanah@zimbra.com writes:
>> This is because the Cert vendors themselves don't honor the RFC's  
>> when
>> issuing wildcard certs, and was added so that their broken wildcard
>> certs could still be used.
>
> In that case, maybe there should be a config option to turn this
> behavior on/off, and documentation which explains that it breaks TLS
> the standard and why it does so.

I think it reasonable to be liberal in what we accept in this  
particular case.

It's not like someone is actually going to name a host '*'.  If they  
do, their certificate matching more hosts than they expect will be  
just one of many problems they face.

>
>
> If nothing else, it may get more people to complain to the cert  
> vendors.

Far more persons would complain to the OpenLDAP Project.

Prev by Date: Re: (ITS#5938) tls.c does not conform to RFC 4513
Next by Date: Re: (ITS#5938) tls.c does not conform to RFC 4513
Index(es):
- Chronological
- Thread