On 2015-10-09 13:21, Jan Orel wrote: > Hello, > > this patch removes (IMHO) redundat check in cert_show, which fails when > host tries to re-submit certificate of different host/service which he > can manage. > > I also reported the bug here: > https://bugzilla.redhat.com/show_bug.cgi?id=1269089 > > I tired to run the tests as well and it doesn't seem to break anything. > Any feedpack appriciated.
Jan Cholasta, you implemented the check in 2011. What purpose does it have? hostname == CN has been deprecated by RFC 2818 for some time, see https://tools.ietf.org/html/rfc2818#section-3.1 The current check is also not sufficient to prevent forgery. Browsers and modern TLS libraries completely ignore CN when a dNSName SAN extension is present. Christian
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code