On Wed Nov 25, 2020 at 8:16 AM EST, Bj?rn W?rmedal wrote: > So basically at least one of Common Name and Subject Alternative Names > should match the hostname provided? What if it doesn't, but it matches > the IP? Hm, I'm not sure. Check the spec? I have never put an IP address into a certificate. > I guess I could press this issue even more, really. There's a > technical difficulty in parsing wildcards, for example, depending on > the libs available. If I request some.subdomain.example.com and the > certificate lists "some.*.example.com" the ssl._dnsname_match() method > in python3 won't be able to match it despite it being a valid wildcard > (afaik). I don't really know what the certificate specification says > here, but with self-signed certs we can write pretty much anything. Technically you can make up your own CA and sign whatever bullshit certs you want. So what? That doesn't change the interpretation of the specification. > My example of a Common Name that doesn't have a hostname would fail > under your validation algorithm, but is it objectively *wrong*? Yes. > Under a TOFU scheme I could also encounter a situation where a cert I > have accepted has now expired, but the server still provides it. Is it > *wrong* to still accept it? Yes.
---
Previous in thread (3 of 14): 🗣️ Björn Wärmedal (bjorn.warmedal (a) gmail.com)
Next in thread (5 of 14): 🗣️ Drew DeVault (sir (a) cmpwn.com)