[Date Prev][Date Next]
Re: StartTLS with a host alias
Hallvard B Furuseth wrote:
Howard Chu writes:
Hm, good point. The OpenSSL function used in libldap/tls.c doesn't have an
argument to specify which CN to return. That code may need to be rewritten.
Well, there can be any number of CNs in a DN. But only the
most-inferior RDN actually names the certificate, therefore that's the
only one that may be used in hostname checking.
Then something (OpenSSL?) is broken. The hostname which succeeded is in
the topmost of his RDNs which has a CN, not in the most inferior RDN.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/