> I, for one, would not want OpenSSL to employ such a complex and fragile > mechanism.
Yeah, it's kinda gross and clunky. On the other hand, it's really all we have right now, and rejecting a cert with a SAN name of "*.com" is a good security thing to do. Perhaps a configure option, or a callback that could implement it? /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org