On Wed, Apr 02, 2014 at 07:24:21AM -0400, Salz, Rich wrote:
> I don't think it makes sense to have a separate flag.
>
> What's the harm in looking at the CN if you don't find a match in the SAN?
Well, in fact if any DNS SANs exist, per RFC 6125 and other prior
art, one in fact must not look at the CN. The question here is
whether wildcards allowed in SANs by LDAP specs should consequently
also be allowed in the CN (when no SANs are present) despite said
LDAP specs. If so we don't need confusing additional flags to
separately control processing of wildcards in CN vs. SAN.
My plan is to support only one wildcard flag which enables/disables
wildcard processing in both CN and SANs.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
