[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Christian Heimes
cheimes at redhat.com
Fri Oct 9 13:00:45 UTC 2015
On 2015-10-09 13:21, Jan Orel wrote:
> Hello,
>
> this patch removes (IMHO) redundat check in cert_show, which fails when
> host tries to re-submit certificate of different host/service which he
> can manage.
>
> I also reported the bug here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1269089
>
> I tired to run the tests as well and it doesn't seem to break anything.
> Any feedpack appriciated.
Jan Cholasta, you implemented the check in 2011. What purpose does it have?
hostname == CN has been deprecated by RFC 2818 for some time, see
https://tools.ietf.org/html/rfc2818#section-3.1 The current check is
also not sufficient to prevent forgery. Browsers and modern TLS
libraries completely ignore CN when a dNSName SAN extension is present.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151009/1c10544d/attachment.sig>
More information about the Freeipa-devel
mailing list