On 9.10.2015 15:00, Christian Heimes wrote:
On 2015-10-09 13:21, Jan Orel wrote:
Hello,
this patch removes (IMHO) redundat check in cert_show, which fails when
host tries to re-submit certificate of different host/service which he
can manage.
I also reported the bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=1269089
I tired to run the tests as well and it doesn't seem to break anything.
Any feedpack appriciated.
Jan Cholasta, you implemented the check in 2011. What purpose does it have?
I did not, it was added in commit 2e8bae59 by Rob.
hostname == CN has been deprecated by RFC 2818 for some time, see
https://tools.ietf.org/html/rfc2818#section-3.1 The current check is
also not sufficient to prevent forgery. Browsers and modern TLS
libraries completely ignore CN when a dNSName SAN extension is present.
Christian
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
