On Tue, Apr 01, 2014 at 05:03:32PM -0400, Salz, Rich wrote:
> > I, for one, would not want OpenSSL to employ such a complex
> > and fragile mechanism.
>
> Yeah, it's kinda gross and clunky. On the other hand, it's really
> all we have right now, and rejecting a cert with a SAN name of
> "*.com" is a good security thing to do. Perhaps a configure option,
> or a callback that could implement it?
Note that the implementation in master (some day 1.1.0) already
rejects *.com, what it fails to reject is *.co.uk (that's why
we're still mulling over this thread).
An optional callback perhaps to validate the suffix of a wildcard
cert, but complexity has costs, and I think the onus is on the
trusted CA ( that wants to remain trusted) to not issue such
certificates.
I am far from sure the callback is worth the trouble.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
