On Mon, Sep 12, 2016 at 01:50:36PM +0200, Sebastian Andrzej Siewior wrote: > On 2016-09-10 16:36:35 [+0200], Kurt Roeckx wrote: > > Looking at the certificate subject looks just wrong. It should > > at least check the Subject Altnerative Name, if present, and it > > should be present. And it really shouldn't convert it to a string > > and hope there are no other field that happen to have "CN=" in it. > > You might want to look at: > > > > https://wiki.openssl.org/index.php/Hostname_validation > > But this problem existed before 1.1.0 support (this patch). > What do you recommend here? The builtin usage > (X509_VERIFY_PARAM_set_hostflags()) looks simple. The alternative > X509_check_host() is 1.0.2+ and since it can not be applied to stable I > don't see the point. I would add this for 1.1.0 and keep the current > validation for < 1.1.0.
We don't want to upload this to Debian stable in any case. But if it's only doing the right thing with 1.1.0 that works for me. Kurt
