Hi Viktor and Kurt, Thanks for the quick response. I think I agree with you guys. I looked up hostname RFC again (RFC952 and 1123), not URI RFC, and indeed, '_' and '~' are not valid character to be used for hostname.
So technically, what openssl is doing is right. What makes tricky is that, since there are many hostname using '_' in the wild, even libcurl seems not to check '_' or '~' for hostname's validity. I think hostname verification with those characters should be handled outside of openssl context. Thanks Sekwon On Tue, Aug 11, 2015 at 12:29 PM, [email protected] via RT < [email protected]> wrote: > On Tue, Aug 11, 2015 at 07:22:58PM +0000, Kurt Roeckx via RT wrote: > > > It looks to me that you're trying to validate an URL instead of a > > hostname. I don't know of any standart that allows you to put a > > URL in a certificate and it also doesn't make much sense. > > Certificates IIRC can have URI subjectAltNames, I don't recall > whether we support matching these. If we did, that would certainly > not be via X509_check_host(), there would have to be an X509_check_uri() > interface. > > -- > Viktor. > > > _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
