> Note that other implementations treated this as a bug and fixed it a long time > ago.
What other implementations, and what did they do? Always treating a CN as a DNS name? We can't. > I'm not sure what "deprecated" and "mandated" mean in the openssl > context. If openssl actually de-implemented CN-as-hostname and actually > mandated SAN, that would solve the nameConstraints bypass bug in grand > style. Applications can do that now by setting the right flag, as Viktor pointed out. I think it's too late to make the default change for 1.1 > How about this for a heuristic: If nameConstraints are in effect, then the > validator MUST NOT accept the CN as a DNS name. This seems like the least > the validator could do, in light of the aforementioned deprecation. Probably. > -- The problem is not solved until bad guys are > /required/ to use SAN; Applications can make that happen now. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3502 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
