[openssl-dev] [openssl.org #3502] nameConstraints bypass bug
Viktor Dukhovni via RT
rt at openssl.org
Tue May 31 02:38:47 UTC 2016
> On May 30, 2016, at 10:06 PM, Salz, Rich via RT <rt at openssl.org> wrote:
>
>> I'm not sure what "deprecated" and "mandated" mean in the openssl
>> context. If openssl actually de-implemented CN-as-hostname and actually
>> mandated SAN, that would solve the nameConstraints bypass bug in grand
>> style.
>
> Applications can do that now by setting the right flag, as Viktor pointed out. I think it's too late to make the default change for 1.1
Well, to be fair, I was proposing a new flag. We don't yet have a flag to
suppress processing of CN in the absence of DNS-ID SANs.
--
Viktor.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3502
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list