Viktor Dukhovni wrote:
On Tue, Apr 01, 2014 at 07:07:10PM -0700, Howard Chu wrote:
Viktor Dukhovni wrote:
I can contribute a patch, that addresses many of the issues. Things
that I'm not immediately planning to address are:
- Separate flag for wildcards in CN vs. wildcards in SAN dnsName.
(LDAP case in RFC 6125).
Just to add context - the LDAP RFCs always specified wildcards in SAN only,
not in the CN. But most commercial CAs seem to have made a practice of
issuing wildcard certs using * in the CN, not in a dnsName SAN. For a long
time we rejected wildcard CN certs in OpenLDAP but finally started accepting
them after multiple users' requests. It's a slippery slope, don't expect to
get it right.
Thanks, good to know. So is there in your view a real need for
separate wildcard flags in SAN vs. CN? It never made much sense
to me, and if LDAP implementations are now giving in to CA practice,
I am inclined to do what makes more sense, more than I am inclined
to support an oddity of the LDAP wildcard matching specifications.
By all means, do what makes sense. I'm not sure how relevant it is for LDAP,
since OpenLDAP's libldap is pretty much the only LDAP client library around
now, and we already have our own cert validation function which behaves
identically for OpenSSL, MozillaNSS, and GnuTLS.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org