Tonight, I spent a few hours implementing RFC5952: https://github.com/colmmacc/s2n/commit/4e7d2424b059b1350353fbb95c251d5ff024535e … ... because it turns out that there's no portable way to be sure that IPv6 strings will be in a canonical format. How is that not fixed in 2019? Crazy! Exact-match is needed in many applications.
This doesn't appear to be the case with s2n's SAN parser, however; here's a test case to make sure "127.0.0.1" gets passed to the callback when it's in a DNS SAN: https://github.com/awslabs/s2n/blob/e7def58f81e67ccc89e2f1db1b4088482ea2eeb2/tests/unit/s2n_x509_validator_test.c#L622-L656 …
-
-
That can't be changed without breaking backwards compat, so new callbacks are needed for IP SANs so an application that wants to be strict can be.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.