On Thu, 28 Aug 2014, Richard Moore wrote:
I've found (and reported or fixed) flaws in the hostname verification of pretty much all the browsers and libraries and I don't think the rules are clear. I'm happy to add the test cases I use for testing this stuff myself to the rfc as examples if people think that would be helpful.
As author of one of those libs Richard speaks of, I can only say that I would be happy to see such test cases.
Had we had such tests (and preferably a single RFC detailing all on how to verify a TLS server certificate) in the past, perhaps we could have avoided a few nasty security vulnerabilities.
-- / daniel.haxx.se _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
