On Wed, Apr 02, 2014 at 07:24:21AM -0400, Salz, Rich wrote: > I don't think it makes sense to have a separate flag. > > What's the harm in looking at the CN if you don't find a match in the SAN?
Well, in fact if any DNS SANs exist, per RFC 6125 and other prior art, one in fact must not look at the CN. The question here is whether wildcards allowed in SANs by LDAP specs should consequently also be allowed in the CN (when no SANs are present) despite said LDAP specs. If so we don't need confusing additional flags to separately control processing of wildcards in CN vs. SAN. My plan is to support only one wildcard flag which enables/disables wildcard processing in both CN and SANs. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org