------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1479 --- Comment #6 from Phil Pennock <[email protected]> 2014-05-18 04:09:38 --- Yeah, list, not hostlist, I was being a little silly again -- we need to be able to get one absolute name, rather than a pattern, for canonical name extraction for later merging with `tls_sni`. So on reflection, providing the lookup keys from this new option and looking up in the cert, instead of extracting names from the cert to lookup in a hostlist is correct, so that LGTM. There are rules for wildcard name matching in RFC 6125 section 6.4.3 which beyond your code add support for the `*` not being the only component of a label. Frankly, that's stupid and adds yet more complexity in an already overly twisted area, especially since there's no statement around labels with multiple wildcards in them (`f*b*r`) and handling that quickly leads into DoS opportunities. So I'm inclined to have the wildcard support only handle where a complete label is replaced by `*`, exactly as you have it, but we probably need to document this as "how Exim handles wildcards in certificates". I'm not aware of a certificate profile for email, and we haven't been matching before, so unless Viktor presents compelling argument for doing something else, for consistency with other checkers, we can simplify the implicit application profile for email by not supporting that craziness. Viktor, any strong feelings on wildcards other than whole-label? -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
