Bill Janssen <janssen at parc.com> wrote: > > Does it check that the host the socket is connected to is the same as > > what's given in the CN field in the certificate? > > No. That, in general, doesn't work very well. The IETF working group > on this is considering deprecating putting a hostname in the CN field at > all, and just adding hostnames via the subjectAltName extension. The > problem that's come up is that many computers don't have fixed IP > addresses, and even with that the hostname is part of a different > mapping of hostnames to IP addresses, which can also vary. Incidentally, the current working draft on this seems to be at <http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-00>. Bill
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4