Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
> These actually removed support for CN-ID, and it is great that the
> browsers are in a position to do that.
> OpenSSL, however, is used in all kinds of intramural legacy systems,
> and backwards-compatibility is an important consideration.
> If we stop accepting CN-ID fallback by default, barring evidence that
> "nobody" still relies on CN-ID, OpenSSL should at least initially (in
> the first LTS release that changes the default) provide a flag that
> reënables the fallback, and only remove support in a subsequent
> release, giving users ample time to make the transition.
What I would like is:
1) an API call that turns CN-ID fallback off.
2) an option for "openssl s_client" to invoke it.
3) ideally, an environment variable I can set that does (1).
(3) especially so that I can easily (without recompiling) test applications
that might still be relying on CN-ID check, and see that they are now sane.
Attachment:
signature.asc
Description: PGP signature
