[stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs
tristan_schmelcher at alumni.uwaterloo.ca
Tue Jun 1 19:22:07 CEST 2010
On Tue, Jun 1, 2010 at 12:28 AM, Magnus Therning <
magnus+stunnel at therning.org <magnus%2Bstunnel at therning.org>> wrote:
> On Mon, May 31, 2010 at 22:50, Tristan Schmelcher
> <tristan_schmelcher at alumni.uwaterloo.ca> wrote:
> > stunnel-4.33-dns-commonname-verify-support.patch:
> > I saved the best for last. ;) This adds a "verify_dns" option to check
> > the CommonName in peer certificates against their DNS name when
> > verifying, much as web browsers do.
> > I have seen posts from users asking for this feature in the past, so I
> > think it's value is self-evident.
> I do like the use of a configuration option to turn on hostname
> verification. And as you say there have been requests for this
> feature in the past, but there have also been posts of patches
> implementing it in the past (e.g.
> by me, but sans the option bit :-).
For some reason your patch didn't turn up when I was searching for this
My thinking is that having an option for it makes a big difference.
> I do have some questions though:
> 1. If I read this patch correctly it only checks CN, is that correct?
> 2. Is there any particular reason for not including SAN in the
> verification as well?
I confess that I have never heard of anything called SAN in the context of
SSL/TLS, and I can't find anything about it online. Do you have a link?
> 3. Are the patches released under GPL?
No, I released them into the public domain since Michel requires that for
any patches that are to be incorporated into mainline stunnel.
> Magnus Therning (OpenPGP: 0xAB4DFBA4)
> magnus＠therning．org Jabber: magnus＠therning．org
> http://therning.org/magnus identi.ca|twitter: magthe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the stunnel-users