On Sun, Nov 19, 2023 at 08:23:52AM +0100, Michael Richardson wrote:
> What I would like is:
> 1) an API call that turns CN-ID fallback off.
That API call exists, and was described upthread.
> 2) an option for "openssl s_client" to invoke it.
This would need to be added.
> 3) ideally, an environment variable I can set that does (1).
I am not fond of environment variables that cause unexpected
behaviour deep inside some library that the application neither
wanted nor expected, and could cause security issues, ...
> (3) especially so that I can easily (without recompiling) test applications
> that might still be relying on CN-ID check, and see that they are now sane.
Recompile them with a library that disables the fallback, by default.
--
Viktor.
