> On May 30, 2016, at 10:06 PM, Salz, Rich via RT <[email protected]> wrote:
>
>> I'm not sure what "deprecated" and "mandated" mean in the openssl
>> context. If openssl actually de-implemented CN-as-hostname and actually
>> mandated SAN, that would solve the nameConstraints bypass bug in grand
>> style.
>
> Applications can do that now by setting the right flag, as Viktor pointed
> out. I think it's too late to make the default change for 1.1
Well, to be fair, I was proposing a new flag. We don't yet have a flag to
suppress processing of CN in the absence of DNS-ID SANs.
--
Viktor.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3502
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
