Joseph Salowey wrote: > [Joe] Today, there are CA's that issue certificates with wildcards > in the hostname. It would be good if Syslog implementations could > be configured to work with these CA's. It is not required that this > support always be enabled. Would the addition help: > > "The '*' (ASCII 42) wildcard character is allowed in subjectAltName > values of type dNSName (and in Common Name, if used), and then only > as the left-most (least significant) DNS label in that value. This > wildcard matches any left-most DNS label in the server name. That > is, the subject *.example.com matches the server names a.example.com > and b.example.com, but does not match example.com or > a.b.example.com. Implementations SHOULD provide the ability to > enable support for these types of wildcards within the host name in > the certificate. "
I think this needs to be "Implementations MUST support wildcards in certificates as specified above, but MAY provide a configuration option to disable them." Best regards, Pasi _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
