On Jul 15, 2014, at 9:24 AM, Evgeny Fedoruk <evge...@radware.com> wrote:
> The question is about SCN and SAN extraction from X509.
> 1. Extraction of SCN/ SAN should be done while provisioning and not
> during TLS handshake
Yes that makes the most sense. If some strange backend really wants to
repeatedly extract this during TLS hand shake
I guess they are free to do this although its pretty brain damaged since the
extracted fields will always be the same.
> 2. Every back-end code/driver must(?) extract SCN and(?) SAN and use it
> for certificate determination for host
No need for this to be in driver code. It was my understanding that the
X509 was going to be pulled apart in the API code via pyOpenSSL(Which is what
I'm working on now). Since we would be validating the key and x509 at the API
layer already it made more sense to extract the SubjectAltName and SubjectSN
here as well. If you want to do it in the driver as well at least use the same
code thats already in the API layer.
>
> Please give your feedback
>
> Thanks,
> Evg
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
