looking for terminology recommendations concerning non-rooted FQDNs

Jay Ashworth jra at baylink.com
Mon Feb 25 17:18:00 UTC 2013


----- Original Message -----
> From: "Owen DeLong" <owen at delong.com>

> However, that's for the resolver library. In terms of matching the CN
> in a certificate, this should always be FQDN and the trailing dot
> should not be present. If OpenSSL (the command line tool) is passing
> foo.blah.com. to the SSL functions and not just getaddrinfo(), then,
> it is a bug.

If I understood Brian correctly, his problem is that people/programs
are trying to retrieve things from, eg:

https://my.host.name./this/is/a/path

and the SSL library fails the certificate match if the cert doesn't contain
the absolute domain name as an altName -- because *the browser* (or whatever)
does not normalize before calling the library.

As I suggest in another thread, I think the SSL library probably ought to
be normalizing off that trailing dot itself, before trying to match the
string supplied to the names in the retrieved cert.

It sounds as if you might agree with me, at least in principle.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274




More information about the NANOG mailing list