> > * How does one even validate a self-signed cert? If ew0k.example.com > > serves a certificate with the Common Name "ew0k's Awesome Site" and no > > Subject Alternative Names, is that less valid than one that includes > > the hostname? Or the IP? Does expiration time matter at all for a > > self-signed cert? > > Yes, test the common name and/or alternative names, and the expiration > time. So basically at least one of Common Name and Subject Alternative Names should match the hostname provided? What if it doesn't, but it matches the IP? I guess I could press this issue even more, really. There's a technical difficulty in parsing wildcards, for example, depending on the libs available. If I request some.subdomain.example.com and the certificate lists "some.*.example.com" the ssl._dnsname_match() method in python3 won't be able to match it despite it being a valid wildcard (afaik). I don't really know what the certificate specification says here, but with self-signed certs we can write pretty much anything. My example of a Common Name that doesn't have a hostname would fail under your validation algorithm, but is it objectively *wrong*? Under a TOFU scheme I could also encounter a situation where a cert I have accepted has now expired, but the server still provides it. Is it
---
Previous in thread (2 of 14): 🗣️ Drew DeVault (sir (a) cmpwn.com)
Next in thread (4 of 14): 🗣️ Drew DeVault (sir (a) cmpwn.com)