[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC 2830 TLS server identity checks

I've just checked this in. The code now checks for the subjectAltName before
at the certificate subject's CommonName. It also does wildcard checks on the
The RFC doesn't specify, but I don't believe you should ever see a
CommonName with a
wildcard present, so that is left as a straight comparison.

Something that might be desirable as an enhancement, would be to allow a
client to
continue with a connection even if the server name doesn't match. I believe
we would
need to add an error code to describe this case, or perhaps a callback
function for
prompting the user. It might also require a command-line option, perhaps an
keyword as well. Maybe more work than it's worth.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> Sent: Wednesday, August 29, 2001 2:46 PM
> To: openldap-devel@OpenLDAP.org
> Subject: RFC 2830 TLS server identity checks
> Fully implementing 2830, Section 3.6, Server identity checks
> is another big TODO for 2.1.  OpenSSL API experience useful.
> Any takers?