On 2016-09-10 16:36:35 [+0200], Kurt Roeckx wrote: > Looking at the certificate subject looks just wrong. It should > at least check the Subject Altnerative Name, if present, and it > should be present. And it really shouldn't convert it to a string > and hope there are no other field that happen to have "CN=" in it. > You might want to look at: > > https://wiki.openssl.org/index.php/Hostname_validation
But this problem existed before 1.1.0 support (this patch). What do you recommend here? The builtin usage (X509_VERIFY_PARAM_set_hostflags()) looks simple. The alternative X509_check_host() is 1.0.2+ and since it can not be applied to stable I don't see the point. I would add this for 1.1.0 and keep the current validation for < 1.1.0. > Kurt Sebastian
