Major browsers seem to deal correctly with basicConstraints. iOS and MacOSX don't handle NameConstraints, Mozilla used to apply them to SAN only.
For software stacks, OpenSSL handles BC well, I haven't checked about NC but it should be OK. GNUtls correctly handles BC since version 3.1.3, don't know if the patch has been backported to 3.0 and 2.6; it can't handle NC at all. GNUtls is widely used on Debian/Ubuntu. Java needs some testing. NSS is fine. Lesser used stacks. PolarSSL doesn't check NC, and based on my readings of the source code, BC support is incomplete. Don't know about other stacks. Le 9 janv. 2013 08:40, "Leif Johansson" <le...@mnt.se> a écrit : > > > This is something that is easily implemented using a path length > > constraint but you have to know that there is a potential problem to > > avoid it. > > > Has anyone done interop testing in the wild for path length and name > constraints, eg > for commonly deployed TLS stacks and browsers? > > Cheers Leif > _______________________________________________ > wpkops mailing list > wpkops@ietf.org > https://www.ietf.org/mailman/listinfo/wpkops >
_______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops