On Sat, Jun 12, 2004 at 07:38:42PM +0200, Gisle Vanem wrote: > How is the /CN= supposed to be encoded for a host/domain- > name using international characters? In some specified charset > (utf8?) or in the ASCII Compatible Encoded form? > > I ask since in an application here (using libidn), I get the subject > with X509_get_subject_name() and check the CN (or wildcard > mask) against the host I connect to. If they don't match, that's > an error. > > E.g. if I connect to www.tromsÃ.no, it's registered in DNS as > www.xn--troms-zua.no. Should the CN be the same also? Is it > an error to match the CN against www.tromsÃ.no too? Guessing > beeing liberal is okay...
I think it's correct to put the ACE form in the commonName, and that's what applications should compare against. IDNA is after all supposed to be an *application*-layer encoding; at the protocol layer, nothing changes, normal ASCII DNS names are used. This is true at HTTP level as well as at DNS level, so there's no reason why SSL should be special. > BTW. is there any function in OpenSSL that can match > e.g. "x*.foo.com" against "xxx.foo.com"? No, fnmatch() is fairly portable across Unixes though. Regards, joe ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
