[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Jan Cholasta
jcholast at redhat.com
Fri Oct 9 13:11:13 UTC 2015
On 9.10.2015 15:00, Christian Heimes wrote:
> On 2015-10-09 13:21, Jan Orel wrote:
>> Hello,
>>
>> this patch removes (IMHO) redundat check in cert_show, which fails when
>> host tries to re-submit certificate of different host/service which he
>> can manage.
>>
>> I also reported the bug here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1269089
>>
>> I tired to run the tests as well and it doesn't seem to break anything.
>> Any feedpack appriciated.
>
> Jan Cholasta, you implemented the check in 2011. What purpose does it have?
I did not, it was added in commit 2e8bae59 by Rob.
>
> hostname == CN has been deprecated by RFC 2818 for some time, see
> https://tools.ietf.org/html/rfc2818#section-3.1 The current check is
> also not sufficient to prevent forgery. Browsers and modern TLS
> libraries completely ignore CN when a dNSName SAN extension is present.
>
> Christian
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list