[161074] in North American Network Operators' Group
Re: looking for terminology recommendations concerning non-rooted
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Mon Feb 25 12:18:39 2013
Date: Mon, 25 Feb 2013 12:18:00 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <74F5F4AD-935B-442D-86CC-9CB19B880123@delong.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Owen DeLong" <owen@delong.com>
> However, that's for the resolver library. In terms of matching the CN
> in a certificate, this should always be FQDN and the trailing dot
> should not be present. If OpenSSL (the command line tool) is passing
> foo.blah.com. to the SSL functions and not just getaddrinfo(), then,
> it is a bug.
If I understood Brian correctly, his problem is that people/programs
are trying to retrieve things from, eg:
https://my.host.name./this/is/a/path
and the SSL library fails the certificate match if the cert doesn't contain
the absolute domain name as an altName -- because *the browser* (or whatever)
does not normalize before calling the library.
As I suggest in another thread, I think the SSL library probably ought to
be normalizing off that trailing dot itself, before trying to match the
string supplied to the names in the retrieved cert.
It sounds as if you might agree with me, at least in principle.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274
