AW: RFC 9525 obsoletes commonName check
Michael Richardson
mcr at sandelman.ca
Sun Nov 19 17:47:00 UTC 2023
Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>> What I would like is: 1) an API call that turns CN-ID fallback off.
> That API call exists, and was described upthread.
Cool, I guess I missed that part.
>> 2) an option for "openssl s_client" to invoke it.
> This would need to be added.
>> 3) ideally, an environment variable I can set that does (1).
> I am not fond of environment variables that cause unexpected behaviour
> deep inside some library that the application neither wanted nor
> expected, and could cause security issues, ...
Nor I.
>> (3) especially so that I can easily (without recompiling) test
>> applications that might still be relying on CN-ID check, and see that
>> they are now sane.
> Recompile them with a library that disables the fallback, by default.
Often, it's hard to do this when libssl has been wrapped by a language
specific library (python, ruby, rust, ...), and really the application lives
on top of that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 658 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231119/a00b21b4/attachment.sig>
More information about the openssl-users
mailing list