On 9.10.2015 15:00, Christian Heimes wrote:
On 2015-10-09 13:21, Jan Orel wrote:
this patch removes (IMHO) redundat check in cert_show, which fails when
host tries to re-submit certificate of different host/service which he
I also reported the bug here:
I tired to run the tests as well and it doesn't seem to break anything.
Any feedpack appriciated.
Jan Cholasta, you implemented the check in 2011. What purpose does it have?
I did not, it was added in commit 2e8bae59 by Rob.
hostname == CN has been deprecated by RFC 2818 for some time, see
https://tools.ietf.org/html/rfc2818#section-3.1 The current check is
also not sufficient to prevent forgery. Browsers and modern TLS
libraries completely ignore CN when a dNSName SAN extension is present.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code