Viktor Dukhovni wrote:
I can contribute a patch, that addresses many of the issues. Things that I'm not immediately planning to address are:- Separate flag for wildcards in CN vs. wildcards in SAN dnsName. (LDAP case in RFC 6125).
Just to add context - the LDAP RFCs always specified wildcards in SAN only, not in the CN. But most commercial CAs seem to have made a practice of issuing wildcard certs using * in the CN, not in a dnsName SAN. For a long time we rejected wildcard CN certs in OpenLDAP but finally started accepting them after multiple users' requests. It's a slippery slope, don't expect to get it right.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
