Joe Orton wrote:
On Sat, Jun 12, 2004 at 07:38:42PM +0200, Gisle Vanem wrote:
How is the /CN= supposed to be encoded for a host/domain-
name using international characters? In some specified charset
(utf8?) or in the ASCII Compatible Encoded form?
I ask since in an application here (using libidn), I get the subject
with X509_get_subject_name() and check the CN (or wildcard
mask) against the host I connect to. If they don't match, that's
an error.
E.g. if I connect to www.tromsÃ.no, it's registered in DNS as
www.xn--troms-zua.no. Should the CN be the same also? Is it
an error to match the CN against www.tromsÃ.no too? Guessing
beeing liberal is okay...
I think it's correct to put the ACE form in the commonName, and that's
what applications should compare against. IDNA is after all supposed to
be an *application*-layer encoding; at the protocol layer, nothing
changes, normal ASCII DNS names are used. This is true at HTTP level as
well as at DNS level, so there's no reason why SSL should be special.
BTW. is there any function in OpenSSL that can match
e.g. "x*.foo.com" against "xxx.foo.com"?
No, fnmatch() is fairly portable across Unixes though.
Please note that fnmatch() use is against RFC2818.
--
Lev Walkin
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
