[161059] in North American Network Operators' Group
Re: looking for terminology recommendations concerning non-rooted
daemon@ATHENA.MIT.EDU (Brian Reichert)
Mon Feb 25 09:41:43 2013
Date: Mon, 25 Feb 2013 09:30:34 -0500
From: Brian Reichert <reichert@numachi.com>
To: Mark Andrews <marka@isc.org>
In-Reply-To: <20130223131021.498CA30008FF@drugs.dv.isc.org>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Feb 24, 2013 at 12:10:20AM +1100, Mark Andrews wrote:
> > When I did my initial development with OpenSSL, I observed:
> >
> > - If I did not have the rooted domain name in the SAN, then any SSL
> > client stack would fail the verification if a rooted domain name
> > was used to connect to the SSL server.
>
> Well you have a broken SSL client app. If it is accepting non legal
> hostnames it should be normalising them before passing them to the ssl
> layer.
From what little research I've done (only OpenSSL), the SSL client
is relying on getaddrinfo(3) to do name resolution. In turn, I
haven't found an implementation of getaddrinfo(3) that rejects
rooted domain names as non-legal.
Looking for couter-examples...
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
--
Brian Reichert <reichert@numachi.com>
BSD admin/developer at large
