[edk2-devel] [RFC v1 5/4] CryptoPkg/TlsLib: accept peer certs via both DNS names and IP addresses
David Woodhouse
dwmw2 at infradead.org
Thu Oct 17 15:49:03 UTC 2019
On Thu, 2019-10-17 at 17:35 +0200, Laszlo Ersek wrote:
> Reference [2] advises to put the IP address in both CN and
> SAN.iPAddress
> for best compatibility, and that would be fine, for
> X509_VERIFY_PARAM_set1_ip(). But the word "only" in [3] is really bad
> for X509_VERIFY_PARAM_set1_ip().
I don't believe it's true, and it conflicts with what's in [2] which
suggests that you do it properly *and* put it in the legacy CN for the
benefit of broken clients.
None of this convinces me that EDK2 should deliberately be one of those
"broken clients". Just fix it. Let people worry about compatibility
with historical buggy versions of proprietary operating systems when
they issue their certs.
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#49183): https://edk2.groups.io/g/devel/message/49183
Mute This Topic: https://groups.io/mt/34551672/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5174 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20191017/afbb5c09/attachment.bin>
More information about the edk2-devel-archive
mailing list