So something like
int openssl_cert_matches_dnsname(X509* cert, const char* name)
? That seems like a good thing.
> There is also the delicate question of exactly what name the app hands to
> the check algorithm as the target host name. The text below is
> unambiguous that it must be "what the user typed", not the canonical host
> name as determined via DNS. This avoids DNS spoofing but raises some
> serious deployment problems, in particular if a host has lots of aliases.
I'm not quite sure I see the issue. Either list all the aliases or
use the wildcard. I'm sure most folks will just do the latter. To me,
that seems like a minor issue, or am I just missing something?
> I don't propose to solve this here but merely note that handling this
> correctly is yet another reason to not re-invent this wheel many times.
I am totally in favor of not re-inventing, but I don't see what OpenSSL
could do for this, second, issue?
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
