On Sun, Feb 24, 2013 at 12:10:20AM +1100, Mark Andrews wrote: > > When I did my initial development with OpenSSL, I observed: > > > > - If I did not have the rooted domain name in the SAN, then any SSL > > client stack would fail the verification if a rooted domain name > > was used to connect to the SSL server. > > Well you have a broken SSL client app. If it is accepting non legal > hostnames it should be normalising them before passing them to the ssl > layer.
>From what little research I've done (only OpenSSL), the SSL client is relying on getaddrinfo(3) to do name resolution. In turn, I haven't found an implementation of getaddrinfo(3) that rejects rooted domain names as non-legal. Looking for couter-examples... > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Brian Reichert <reich...@numachi.com> BSD admin/developer at large