@HashiCorp we need to talk. https://github.com/hashicorp/vault/blob/master/builtin/credential/cert/path_login.go#L219-L242 … call me, seriously not goodness.
-
-
Replying to @rmhrisk @HashiCorp
Wow. No testing against rejectedSubTrees, no consideration of SAN, strange name comparison, no checking against the chain? Good catch.
1 reply 0 retweets 2 likes -
These are additional checks based on configuration layered on top of the standard TLS verification (botttom of the file), not the only check
2 replies 0 retweets 1 like -
Let us know if you see an issue though, we’d love to get it fixed!
2 replies 0 retweets 1 like -
Perf?: - return !b.checkForChainInCRLs(trustedChain) && nameMatched + return nameMatched && !b.checkForChainInCRLs(trustedChain)
1 reply 0 retweets 0 likes
Replying to @BRIAN_____ @armon and
Also, and more relevantly, it would be nice if there were a way to disable the CN check at least (strict RFC 6125 mode).
1:20 PM - 6 Oct 2017
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.