On Sun, Nov 19, 2023 at 06:47:00PM +0100, Michael Richardson wrote:
> > Recompile them with a library that disables the fallback, by default.
>
> Often, it's hard to do this when libssl has been wrapped by a language
> specific library (python, ruby, rust, ...), and really the application lives
> on top of that.
Ultimately, that's what test platforms are for, the entire system can be
running bleeding-edge (pre?)release code, including perhaps a version of
say OpenSSL where CN-ID is not checked by default. Given the existence
of the "never" flag, all one has to do is turn that flag on by default,
and require a "sometimes" (when no SANs available) flag to turn it back
on.
--
Viktor.
