[stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs

Magnus Therning magnus+stunnel at therning.org
Tue Jun 1 09:28:13 CEST 2010


On Mon, May 31, 2010 at 22:50, Tristan Schmelcher
<tristan_schmelcher at alumni.uwaterloo.ca> wrote:
[...]
> stunnel-4.33-dns-commonname-verify-support.patch:
>
> I saved the best for last. ;) This adds a "verify_dns" option to check
> the CommonName in peer certificates against their DNS name when
> verifying, much as web browsers do.
>
> I have seen posts from users asking for this feature in the past, so I
> think it's value is self-evident.

I do like the use of a configuration option to turn on hostname
verification.  And as you say there have been requests for this
feature in the past, but there have also been posts of patches
implementing it in the past (e.g.
http://stunnel.mirt.net/pipermail/stunnel-users/2010-March/002613.html
by me, but sans the option bit :-).  I do have some questions though:

1. If I read this patch correctly it only checks CN, is that correct?
2. Is there any particular reason for not including SAN in the
verification as well?
3. Are the patches released under GPL?

/M

-- 
Magnus Therning                        (OpenPGP: 0xAB4DFBA4)
magnus@therning.org          Jabber: magnus@therning.org
http://therning.org/magnus         identi.ca|twitter: magthe



More information about the stunnel-users mailing list