[Date Prev][Date Next]
RE: RFC 2830 TLS server identity checks
I've just checked this in. The code now checks for the subjectAltName before
at the certificate subject's CommonName. It also does wildcard checks on the
The RFC doesn't specify, but I don't believe you should ever see a
CommonName with a
wildcard present, so that is left as a straight comparison.
Something that might be desirable as an enhancement, would be to allow a
continue with a connection even if the server name doesn't match. I believe
need to add an error code to describe this case, or perhaps a callback
prompting the user. It might also require a command-line option, perhaps an
keyword as well. Maybe more work than it's worth.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> Sent: Wednesday, August 29, 2001 2:46 PM
> To: openldap-devel@OpenLDAP.org
> Subject: RFC 2830 TLS server identity checks
> Fully implementing 2830, Section 3.6, Server identity checks
> is another big TODO for 2.1. OpenSSL API experience useful.
> Any takers?