[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5938) tls.c does not conform to RFC 4513
On Feb 10, 2009, at 8:29 AM, h.b.furuseth@usit.uio.no wrote:
> quanah@zimbra.com writes:
>> This is because the Cert vendors themselves don't honor the RFC's
>> when
>> issuing wildcard certs, and was added so that their broken wildcard
>> certs could still be used.
>
> In that case, maybe there should be a config option to turn this
> behavior on/off, and documentation which explains that it breaks TLS
> the standard and why it does so.
I think it reasonable to be liberal in what we accept in this
particular case.
It's not like someone is actually going to name a host '*'. If they
do, their certificate matching more hosts than they expect will be
just one of many problems they face.
>
>
> If nothing else, it may get more people to complain to the cert
> vendors.
Far more persons would complain to the OpenLDAP Project.