[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: RFC 2830 TLS server identity checks
I've just checked this in. The code now checks for the subjectAltName before
looking
at the certificate subject's CommonName. It also does wildcard checks on the
altnames.
The RFC doesn't specify, but I don't believe you should ever see a
CommonName with a
wildcard present, so that is left as a straight comparison.
Something that might be desirable as an enhancement, would be to allow a
client to
continue with a connection even if the server name doesn't match. I believe
we would
need to add an error code to describe this case, or perhaps a callback
function for
prompting the user. It might also require a command-line option, perhaps an
ldaprc
keyword as well. Maybe more work than it's worth.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> Sent: Wednesday, August 29, 2001 2:46 PM
> To: openldap-devel@OpenLDAP.org
> Subject: RFC 2830 TLS server identity checks
>
>
> Fully implementing 2830, Section 3.6, Server identity checks
> is another big TODO for 2.1. OpenSSL API experience useful.
> Any takers?
>