CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2024/06/17 23:08:41
Modified files:
sbin/iked : ca.c
Log message:
iked: do not attempt to read multiple SANs
No extension in a valid certificate appears more than once per RFC 5280
section 4.2. So don't go walking the extension stack and try to inspect
multiple subject alternative names because crappy OpenSSL API encourages
you to do so. Instead call the API in the only correct way possible and
report multiple SANs in log_info(). This is unlikely to be hit since the
extension caching in LibreSSL has rejected repeated OIDs in a cert for a
long time.
ok tobhe
