On Sat, Oct 27, 2012 at 11:00 AM, Alban D. <blan...@gmail.com> wrote: > Hi everyone, > > iSEC Partners just released a paper that provides detailed guidelines > and sample code on how to properly do certificate validation with > OpenSSL: > http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html > > It is not trivial and so I thought this reference material could be > useful to people on this mailing list.
] Supporting wildcard certificates requires manually parsing ] the name to find the wildcard character, ensuring that it is ] in a valid location within the domain, and then trying to ] match the pattern with the server's expected hostname. Don''t do it because it violates the Principal of Least Privilege. Why should users be asked to trust the receptionist's machine in the lobby or a developer's machine with nearly anything installed? If you are in a multi-domain environment (such as Apache with virtual hosts), use multiple certificates or Server Name Indication (SNI). Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
