Victor Duchovni wrote: >> do implementations do the dns reverse lookup thing > > No, obtaining the correct peer name to check in certificates is the > responsibility of the application, not the library.
not correct. "openssl s_client" is part of openssl, and it doesn't offer sample code to do this. also, turning one's nose up at v6 issues and blaming other software components won't get the stuff working ;-) >> can you buy a certificate from a retail certificate authority > > Not an OpenSSL question. Not correct. "OpenSSL works with..." is part of the point here; "we do IPv6 but we don't work with Verisign, Thawte, Microsoft, Entrust, or GeoTrust" would make it kind of worthless. >> and then of course there would be the question of whether the underlying >> protocol stack sufficiently supported the BIO code and all that. > > For established connections, the BIO layer does not care whether the > socket is V4 or V6 or even a socket for that matter. That's a pleasant developer-grade assertion. One would like to see this proven in real tests (thus "openssl s_client" supporting v6 is interesting...) Remember that OpenSSL is built upon YEARS of coping with allegedly functional but in fact disfunctional software components in the wild. Presuming the v6 experience will be different seems architecturally irresponsible to me. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
