Hello Kevin,

Roth, Kevin P. wrote:
> RE: [PATCH]add --peer-CN-regex option to the command line tool
>
> Did the original patch take the wrong approach?
I don't think so.
Perhaps it tried to be too inteligent... ;-)

> It seemed to let you
> specify a regex to match the CERTIFICATE (CN) against. But all of the
> examples given so far already KNOW what the CN on the certificate is
> going to be...

You really (should) know how the CN should look like.
Only then you can test if you really connected to the host you wanted.

> Or, if you want to be fancy, you could setup some kind of regex or
> wildcard match against the HOSTNAME (which would be useful, if for
> example www.mycompany.com redirected you to www2.mycompany.com, but both
> used the same cert).

No you mustn't match against the host name.
You must match against the CN of the certificate you get.

Bye

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.