On Mon, Jun 07, 2010 at 03:03:28PM +0100, David Woodhouse wrote:
> On Thu, 2010-06-03 at 21:35 -0400, Victor Duchovni wrote:
> > The problem is that only the application knows which names are those of
> > the peer it tried to reach.
>
> True, but the app could easily provide that information to a library
> function.
Not quite that simple, as in the case of Postfix, for example, the
application supports a list of acceptable names, some of which can be
sub-domain wild-cards. An API to iterate over the subjectAltName DNS names
(validated to not contain embedded NULs, ...) if present or else the CN
(normalized to UTF-8 and validated to no contain embedded NULs, ...) would
be of general use.
> If you look at the 250 lines of code I referenced, almost none of that
> is actually app-specific. My code could be abstracted to take the
> app-specific information as arguments without too much pain.
Different apps have somewhat different name matching policies, but I
would agree that *robust* name *extraction*, should and could be easier.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
