Re: X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Apr 19, 2022 at 10:07:15PM -0400, Viktor Dukhovni wrote:

> This is an apples/oranges dichotomy.  "*" wildcards are "presented
> identifiers" in the certificate.
> 
> If the documentation is not sufficiently clear (too subtle) on this
> point, would you like to suggest some text to clarify the documentation?
> A pull request?

Note that paragraph three of the DESCRIPTION reads:

   .... When name [bold font] starts with a dot (e.g. ".example.com"),
   it will be matched by a certificate valid for any sub-domain of name,
   (see also X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS below).

where it should ideally be clear that we're talking about the peer name
specified by the application (reference identifier in terms of RFC 6125),
not a DNS-ID in the certificate (presented identifier).

-- 
    Viktor.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux