On 2015-10-09 13:21, Jan Orel wrote:
> Hello,
> 
> this patch removes (IMHO) redundat check in cert_show, which fails when
> host tries to re-submit certificate of different host/service which he
> can manage. 
> 
> I also reported the bug here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1269089
> 
> I tired to run the tests as well and it doesn't seem to break anything.
> Any feedpack appriciated.

Jan Cholasta, you implemented the check in 2011. What purpose does it have?

hostname == CN has been deprecated by RFC 2818 for some time, see
https://tools.ietf.org/html/rfc2818#section-3.1  The current check is
also not sufficient to prevent forgery. Browsers and modern TLS
libraries completely ignore CN when a dNSName SAN extension is present.

Christian

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to