Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
>> What I would like is: 1) an API call that turns CN-ID fallback off.
> That API call exists, and was described upthread.
Cool, I guess I missed that part.
>> 2) an option for "openssl s_client" to invoke it.
> This would need to be added.
>> 3) ideally, an environment variable I can set that does (1).
> I am not fond of environment variables that cause unexpected behaviour
> deep inside some library that the application neither wanted nor
> expected, and could cause security issues, ...
Nor I.
>> (3) especially so that I can easily (without recompiling) test
>> applications that might still be relying on CN-ID check, and see that
>> they are now sane.
> Recompile them with a library that disables the fallback, by default.
Often, it's hard to do this when libssl has been wrapped by a language
specific library (python, ruby, rust, ...), and really the application lives
on top of that.
Attachment:
signature.asc
Description: PGP signature
