AW: RFC 9525 obsoletes commonName check

[Michael Richardson]

Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
    > These actually removed support for CN-ID, and it is great that the
    > browsers are in a position to do that.

    > OpenSSL, however, is used in all kinds of intramural legacy systems,
    > and backwards-compatibility is an important consideration.

    > If we stop accepting CN-ID fallback by default, barring evidence that
    > "nobody" still relies on CN-ID, OpenSSL should at least initially (in
    > the first LTS release that changes the default) provide a flag that
    > reënables the fallback, and only remove support in a subsequent
    > release, giving users ample time to make the transition.

What I would like is:
1) an API call that turns CN-ID fallback off.
2) an option for "openssl s_client" to invoke it.
3) ideally, an environment variable I can set that does (1).

(3) especially so that I can easily (without recompiling) test applications
that might still be relying on CN-ID check, and see that they are now sane.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231119/0f84ccfb/attachment.sig>