Skip to content
Commit d02d80b2 authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Limit scope of CN name constraints



Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
parent de9f5b35
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment