Skip to content
  1. May 23, 2018
    • Viktor Dukhovni's avatar
      Skip CN DNS name constraint checks when not needed · 6d3cfd13
      Viktor Dukhovni authored
      
      
      Only check the CN against DNS name contraints if the
      `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
      certificate has no DNS subject alternative names or the
      `X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.
      
      Add pertinent documentation, and touch up some stale text about
      name checks and DANE.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      6d3cfd13
    • Viktor Dukhovni's avatar
      Limit scope of CN name constraints · c2c2c7b3
      Viktor Dukhovni authored
      
      
      Don't apply DNS name constraints to the subject CN when there's a
      least one DNS-ID subjectAlternativeName.
      
      Don't apply DNS name constraints to subject CN's that are sufficiently
      unlike DNS names.  Checked name must have at least two labels, with
      all labels non-empty, no trailing '.' and all hyphens must be
      internal in each label.  In addition to the usual LDH characters,
      we also allow "_", since some sites use these for hostnames despite
      all the standards.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      c2c2c7b3
  2. May 21, 2018
  3. May 20, 2018
  4. May 19, 2018
  5. May 18, 2018
  6. May 17, 2018
  7. May 16, 2018
  8. May 15, 2018
  9. May 14, 2018
  10. May 12, 2018
  11. May 11, 2018
  12. May 08, 2018
  13. May 05, 2018
  14. May 04, 2018
  15. May 03, 2018
  16. May 02, 2018
  17. May 01, 2018