Hi all. I'm writing some code that prepares compact host:port addresses
for certificate CN checking. This is to handle an application that
keeps a host list like "foo.example.com 192.168.1.1:2389
[fe80::230:6eff:fe4b:703] [fe80::230:6eff:fe4b:703]:3389".
After browsing through various RFCs I'm still not sure what rules my
address parsing should follow. Does anyone know the answers or have a
pointer to where I can find them?
1) Are appended ports actually allowed in the subjectAltName or CN? If
they are, I'm leaning towards still pulling off the port before the
verification because it seems like the lesser wrong for the common
configuration.
For example, I would turn my compact address foo.example.com:389 into
foo.example.com in order to match with CN=foo.example.com,O=ExampleCorp
and possibly [fe80::230:6eff:fe4b:703]:389 into fe80::230:6eff:fe4b:703
to match CN=fe80::230:6eff:fe4b:703,O=ExampleCorp.
2) When an IPv6 literal address is in the CN or the subjectAltName, and
if the answer to question 1 is that ports are not allowed, then are the
square brackets that may surround IPv6 addresses still allowed?
For example, I might turn [fe80::230:6eff:fe4b:703] into
fe80::230:6eff:fe4b:703 in order for the match with
CN=fe80::230:6eff:fe4b:703,O=ExampleCorp to work. But I shouldn't touch
the brackets if a subject like
CN=[fe80::230:6eff:fe4b:703],O=ExampleCorp is allowed.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
