[prev in list] [next in list] [prev in thread] [next in thread] 

List:       twsocket
Subject:    Re: [twsocket] SAN SSL certificates
From:       "Arno Garrels" <arno.garrels () gmx ! de>
Date:       2011-08-01 15:50:13
Message-ID: DA37CE836DFB4016A6A7AEF30B561CE7 () asus
[Download RAW message or body]

Fastream Technologies wrote:
> Arno,
> On Mon, Aug 1, 2011 at 17:56, Arno Garrels <arno.garrels@gmx.de>
> wrote: 
> 
>> Fastream Technologies wrote:
>>>> What is the problem? Please be more specific.
>>>> 
>>> 
>>> Honestly I am not yet sure. It is just one customer says "he could
>>> not get SAN SSL cert to work". I told him to alter Accepted Hosts
>>> and use the wildcard SNI domain. I asked here to learn if it is
>>> supported or not. If it is not, I need to know to announce. If you
>>> know a way to get it working, let me know.
>> 
>> As far as I know there is no problem.
>> OpenSSL doesn't use these certificate fields for verification,
>> only TX509Base.PostConnectionCheck() and it has to be called
>> explicitly. This method searchs for the passed string in fields
>> subject alternative name and common name.
>> 
>> 
>> 
> 
> So would the additional domains work with ICS or not? If not, what to
> do? I notice our customers are getting more and more high end every
> day and this is making them harder to support.

As I said, I do not see any reason why ICS/OpenSSL should not
handle them correctly. If you think you found a bug please 
provide a simple, reproducible test case.

-- 
Arno Garrels
 

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
[prev in list] [next in list] [prev in thread] [next in thread]