On Fri, 16 Jan 2004, Daniel Stenberg wrote:

> I would appreciate someone else's comment/feedback on this patch. Personally
> I have no clue about this.

Ok, I studied the RFC2818 a bit and I found these interesting snippets:

(RFC2818, section 3.1 "Server Identity"):

   If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity. Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used. Although
   the use of the Common Name is existing practice, it is deprecated and
   Certification Authorities are encouraged to use the dNSName instead.

We do the subjectAltName checks already. But the following paragraph says
this:

   ... If more than one identity of a given type is present in
   the certificate (e.g., more than one dNSName name, a match in any one
   of the set is considered acceptable.)

My understanding of this, is that we should check all Common Names in the
certificate, not just try to figure out which single one we should check.

Any comments on this Peter?

-- 
    Daniel Stenberg -- http://curl.haxx.se/ -- http://daniel.haxx.se/
   [[ Do not send mails to this email address. They won't reach me. ]]
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn