On Mon, Nov 19, 2012 at 09:09:32PM +0100, Dr. Stephen Henson wrote: > On Mon, Nov 19, 2012, Kurt Roeckx wrote: > > > On Wed, Nov 07, 2012 at 03:47:11PM +0100, Florian Weimer wrote: > > > Hi, > > > > > > the attached patch implements wildcard matching and introduces the > > > X509_CHECK_FLAG_NO_WILDCARDS flag to disable it if necessary. > > > > > > In addition, it implements case-insensitive comparison of host names > > > and email address domain parts, as required by RFC 5280. Domain > > > names and email addresses which contain NUL characters are now > > > rejected, to cope with some mis-issued certificates. > > > > It would be nice if s_client would also did the hostname check. > > > > There is an option -checkhost in s_client that does this though currently you > have to explicitly pass the hostname to check as an argument.
Oh, I didn't see that commit yet. The usage of s_client doesn't show it. It would be nice if this was actually turned on by defaults and based on the host giving in -connect. It would also be nice that it uses the protocol specific settings based on something like -starttls. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
