[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5938) tls.c does not conform to RFC 4513

On Feb 10, 2009, at 8:29 AM, h.b.furuseth@usit.uio.no wrote:

> quanah@zimbra.com writes:
>> This is because the Cert vendors themselves don't honor the RFC's  
>> when
>> issuing wildcard certs, and was added so that their broken wildcard
>> certs could still be used.
> In that case, maybe there should be a config option to turn this
> behavior on/off, and documentation which explains that it breaks TLS
> the standard and why it does so.

I think it reasonable to be liberal in what we accept in this  
particular case.

It's not like someone is actually going to name a host '*'.  If they  
do, their certificate matching more hosts than they expect will be  
just one of many problems they face.

> If nothing else, it may get more people to complain to the cert  
> vendors.

Far more persons would complain to the OpenLDAP Project.