openssl

wbrawner/openssl

Fork 0

Commit graph

Author	SHA1	Message	Date
Viktor Dukhovni	d02d80b2e8	Limit scope of CN name constraints Don't apply DNS name constraints to the subject CN when there's a least one DNS-ID subjectAlternativeName. Don't apply DNS name constraints to subject CN's that are sufficiently unlike DNS names. Checked name must have at least two labels, with all labels non-empty, no trailing '.' and all hyphens must be internal in each label. In addition to the usual LDH characters, we also allow "_", since some sites use these for hostnames despite all the standards. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>	2018-05-23 11:12:13 -04:00
Dr. Stephen Henson	d83b7e1a58	Extend mkcert.sh to support nameConstraints generation and more complex subject alternate names. Add nameConstraints tests incluing DNS, IP and email tests both in subject alt name extension and subject name. Reviewed-by: Richard Levitte <levitte@openssl.org>	2016-07-11 23:30:04 +01:00

Author

SHA1

Message

Date

Viktor Dukhovni

d02d80b2e8

Limit scope of CN name constraints

Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

2018-05-23 11:12:13 -04:00

Dr. Stephen Henson

d83b7e1a58

Extend mkcert.sh to support nameConstraints generation and more complex

subject alternate names.

Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.

Reviewed-by: Richard Levitte <levitte@openssl.org>

2016-07-11 23:30:04 +01:00

2 commits