> I, for one, would not want OpenSSL to employ such a complex and fragile
> mechanism.
Yeah, it's kinda gross and clunky. On the other hand, it's really all we have
right now, and rejecting a cert with a SAN name of "*.com" is a good security
thing to do. Perhaps a configure option, or a callback that could implement it?
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
