[stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs

• Previous message (by thread): [stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs
• Next message (by thread): [stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 1, 2010 at 12:28 AM, Magnus Therning <
magnus+stunnel at therning.org <magnus%2Bstunnel at therning.org>> wrote:

> On Mon, May 31, 2010 at 22:50, Tristan Schmelcher
> <tristan_schmelcher at alumni.uwaterloo.ca> wrote:
> [...]
> > stunnel-4.33-dns-commonname-verify-support.patch:
> >
> > I saved the best for last. ;) This adds a "verify_dns" option to check
> > the CommonName in peer certificates against their DNS name when
> > verifying, much as web browsers do.
> >
> > I have seen posts from users asking for this feature in the past, so I
> > think it's value is self-evident.
>
> I do like the use of a configuration option to turn on hostname
> verification.  And as you say there have been requests for this
> feature in the past, but there have also been posts of patches
> implementing it in the past (e.g.
> http://stunnel.mirt.net/pipermail/stunnel-users/2010-March/002613.html
> by me, but sans the option bit :-).


For some reason your patch didn't turn up when I was searching for this
feature before.

My thinking is that having an option for it makes a big difference.


> I do have some questions though:
>
> 1. If I read this patch correctly it only checks CN, is that correct?
>

Correct.


> 2. Is there any particular reason for not including SAN in the
> verification as well?
>

I confess that I have never heard of anything called SAN in the context of
SSL/TLS, and I can't find anything about it online. Do you have a link?


> 3. Are the patches released under GPL?
>

No, I released them into the public domain since Michel requires that for
any patches that are to be incorporated into mainline stunnel.


>
> /M
>
> --
> Magnus Therning                        (OpenPGP: 0xAB4DFBA4)
> magnus＠therning．org          Jabber: magnus＠therning．org
> http://therning.org/magnus         identi.ca|twitter: magthe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100601/529c0673/attachment.html>

• Previous message (by thread): [stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs
• Next message (by thread): [stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]