Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: >> What I would like is: 1) an API call that turns CN-ID fallback off. > That API call exists, and was described upthread. Cool, I guess I missed that part. >> 2) an option for "openssl s_client" to invoke it. > This would need to be added. >> 3) ideally, an environment variable I can set that does (1). > I am not fond of environment variables that cause unexpected behaviour > deep inside some library that the application neither wanted nor > expected, and could cause security issues, ... Nor I. >> (3) especially so that I can easily (without recompiling) test >> applications that might still be relying on CN-ID check, and see that >> they are now sane. > Recompile them with a library that disables the fallback, by default. Often, it's hard to do this when libssl has been wrapped by a language specific library (python, ruby, rust, ...), and really the application lives on top of that.
Attachment:
signature.asc
Description: PGP signature