On Thu, Sep 13, 2007 at 10:26:29AM -0700, Rodney Thayer wrote:
> Victor Duchovni wrote:
>
> >> do implementations do the dns reverse lookup thing
> >
> > No, obtaining the correct peer name to check in certificates is the
> > responsibility of the application, not the library.
>
> not correct. "openssl s_client" is part of openssl, and it doesn't
> offer sample code to do this.
I made a distinction between applications and libraries, not OpenSSL code
vs. end-user code. The library does not select the peername to verify.
> also, turning one's nose up at v6 issues and blaming other software
> components won't get the stuff working ;-)
Nothing to do with noses, the library (correctly) delegates naming issues
to the application, which knows best. The library has no idea what the
expected peer name should be for any given SSL session. Often these have
nothing to do with hostnames and such, and using DNS to derive peer names
is not secure.
> >> can you buy a certificate from a retail certificate authority
> >
> > Not an OpenSSL question.
>
> Not correct. "OpenSSL works with..." is part of the point here;
> "we do IPv6 but we don't work with Verisign, Thawte, Microsoft, Entrust,
> or GeoTrust" would make it kind of worthless.
I am not aware of any public CAs issuing IP certs, but these are routinely
used with VPNs via private-label CAs trusted by both sides.
You seem to have become combative in your tone, I don't know why. I hope
we can return to return to a more neutral mode.
> >> and then of course there would be the question of whether the underlying
> >> protocol stack sufficiently supported the BIO code and all that.
> >
> > For established connections, the BIO layer does not care whether the
> > socket is V4 or V6 or even a socket for that matter.
>
> That's a pleasant developer-grade assertion. One would like to see
> this proven in real tests (thus "openssl s_client" supporting v6
> is interesting...) Remember that OpenSSL is built upon YEARS of
> coping with allegedly functional but in fact disfunctional
> software components in the wild. Presuming the v6 experience
> will be different seems architecturally irresponsible to me.
I am out of here. Good luck.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
