On Sun, Mar 22, 2015 at 08:11:35PM +0000, Alexey Melnikov wrote:
> > A quick look at OpenSSL shows no support for SRVNAME.
>
> OpenSSL does or at least it is very easy to add it on top of OpenSSL. My
> co-workers at isode implemented that.
Well, there's generic support for "otherName". But recent improvements
in OpenSSL (1.0.2 and later) strive enable applications to as much
as possibe delegate certificate peername verification to the library,
rather the hand-rolling their own (often incorrect) peername checks.
So I think that for SRVNAME verification to be practical, in addition
to CAs being willing to issue such certificates (don't know if any
are as yet), libraries should support matching them on behalf of
applications that signal the appropriate service name and domain
name and leave the rest to the library.
I'll probably be the one writing a bunch of that code for OpenSSL.
I'm curious whether this is already supported in (m)any other
libraries.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
