On Wed, Apr 02, 2014 at 12:57:28AM +0200, Dr. Stephen Henson wrote:
> > I am far from sure the callback is worth the trouble.
>
> The initial aim of X509_check_host was to support minimal host name matching
> which until then wasn't in OpenSSL at all. It wasn't intended to cover every
> case but to be a lot better than nothing.
>
> The wildcard matching was contributed as an addition. If it's felt it is
> terminally broken it can be either disabled by default or reverted altogether.
> Or fixed if someone can come up with a patch...
I can contribute a patch, that addresses many of the issues. Things
that I'm not immediately planning to address are:
- Separate flag for wildcards in CN vs. wildcards in SAN dnsName.
(LDAP case in RFC 6125).
- Adding the just discussed callback if it is not obvious how to
extend X509_VERIFY_PARAM_ID_st.
- Matching multiple reference identities if it is not obvious how
to extend X509_VERIFY_PARAM_ID_st to hold additional host names.
What were your plans for X509_VERIFY_PARAM_ID_st for DANE? That's
where the TLSA records were going to be right?
If you post a note about the approach you want to take with extending
X509_VERIFY_PARAM_ID_st I can provide a more complete patch.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
