On 9.10.2015 15:00, Christian Heimes wrote:
On 2015-10-09 13:21, Jan Orel wrote:

this patch removes (IMHO) redundat check in cert_show, which fails when
host tries to re-submit certificate of different host/service which he
can manage.

I also reported the bug here:

I tired to run the tests as well and it doesn't seem to break anything.
Any feedpack appriciated.

Jan Cholasta, you implemented the check in 2011. What purpose does it have?

I did not, it was added in commit 2e8bae59 by Rob.

hostname == CN has been deprecated by RFC 2818 for some time, see
https://tools.ietf.org/html/rfc2818#section-3.1  The current check is
also not sufficient to prevent forgery. Browsers and modern TLS
libraries completely ignore CN when a dNSName SAN extension is present.


Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to