Re: [Lynx-dev] [PATCH] wildcard matching for SSL cert CN

[Thorsten Glaser]

Dixitur illum address@hidden scribere...

>Does this still test for the hash of the cert in SSL_CERT_DIR? Since this is

Yes, of course - the CN is tested in a totally different step.
If both (1) and (2) are fulfilled, then only the user is not warned.

(1) - certificate is trusted
(2) - certificate's CN matches hostname

>It might be an idea to be able to toggle accepting wildcard certs or being
>stricter on the matching of CN to hostname (if interested).

I don't think so; in addition to that, only very few wildcart
certificates exist, and I've never seen one where it's not
for service aliases (eg. the * matches www,ftp,snews).

>On Wed, 21 Jul 2004, Thorsten Glaser wrote:

Please don't top-post and full-quote, it wastes everyone's
traffic. Read http://www.afaik.de/usenet/faq/zitieren/ (it
has got links to an English translation).

//Thorsten
-- 
Currently blocking eMail from the following domains: bigpond.com, biz, gmx.de,
gmx.net, hotmail.com, info, jumpy.it, libero.it, name, netscape.net,
postino.it, simplesnet.pt, spymac.com, tatanova.com, tiscali.co.uk,
tiscali.cz, tiscali.de, tiscali.it, voila.fr, yahoo.co.uk, yahoo.com.