On Fri, 2015-01-02 at 21:37 +0000, David Woodhouse wrote: > On Fri, 2015-01-02 at 23:16 +0200, Nikos Mavrogiannopoulos wrote: > > On Fri, 2015-01-02 at 09:40 +0000, David Woodhouse wrote: > > > > > > The latter is probably difficult, but printing the hash and key IDs is > > > > probably a good idea. I'll check it. > > > Well, if the luci https service is using the *same* cert as ocserv then > > > presumably it's already been accepted. > > > > No it is not. I don't think it is a good idea to mix keys for different > > services. > Hm, is there a way for an X.509 certificate to specify which > ports/services it's valid for? We only actually validate the *hostname*, > because I thought that's all there was. There is the key purpose X.509 extension. It is typically set to "TLS WWW server". I'd expect different services to use a different key purpose, although that's not so common. regards, Nikos
