> On May 30, 2016, at 10:06 PM, Salz, Rich via RT <r...@openssl.org> wrote: > >> I'm not sure what "deprecated" and "mandated" mean in the openssl >> context. If openssl actually de-implemented CN-as-hostname and actually >> mandated SAN, that would solve the nameConstraints bypass bug in grand >> style. > > Applications can do that now by setting the right flag, as Viktor pointed > out. I think it's too late to make the default change for 1.1
Well, to be fair, I was proposing a new flag. We don't yet have a flag to suppress processing of CN in the absence of DNS-ID SANs. -- Viktor. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3502 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev