Tonight, I spent a few hours implementing RFC5952: https://github.com/colmmacc/s2n/commit/4e7d2424b059b1350353fbb95c251d5ff024535e … ... because it turns out that there's no portable way to be sure that IPv6 strings will be in a canonical format. How is that not fixed in 2019? Crazy! Exact-match is needed in many applications.
-
-
Why not new callbacks verify_ip and verify_ipv6 that take in_addr and in6_addr arguments? It seems generally better for security to keep things as strongly-typed as possible instead of coercing everything to a string.
-
Also, a single callback means an IP will be validated if it's in a DNS SAN. That has finally been eradicated from the WebPKI, and it would be a shame to see it facilitated in private PKIs, as it puts pressure on other validators to also be lax, when the trend is to be stricter.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.