> On 17 Mar 2021, at 17:53, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > > See X509_check_host(3). It's behaviour is customisable via the > below flags: > > X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, > X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, > X509_CHECK_FLAG_NO_WILDCARDS, > X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, > X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS. > X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS. > > So what Rich is proposing amounts to changing the default flag > setting from zero to X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, and > then applications that want the legacy behaviour can just clear > that flag bit if they so desire.
Ok, that makes a whole lot of sense. Eliot
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
