Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

verify_cert_dns_name appears only to work against subjectAltName #11

Open
ctz opened this issue May 20, 2016 · 6 comments
Open

verify_cert_dns_name appears only to work against subjectAltName #11

ctz opened this issue May 20, 2016 · 6 comments

Comments

@ctz
Copy link
Contributor

ctz commented May 20, 2016

I have the following cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 456 (0x1c8)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ponytown level 2 intermediate
        Validity
            Not Before: May 20 21:59:24 2016 GMT
            Not After : Jun 19 21:59:24 2016 GMT
        Subject: CN=testserver.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:da:99:b5:76:7b:ff:18:2f:61:02:17:62:a4:80:
                    58:21:cc:01:81:0c:71:9f:3c:08:5e:19:8a:5e:fb:
                    db:6d:66:67:34:c2:e6:b9:30:f6:b1:8d:91:87:23:
                    e1:4f:a4:76:6c:fe:89:c3:03:b6:a0:3c:f2:22:84:
                    1b:b2:2b:b4:8b:59:23:f3:23:04:19:64:fc:53:4d:
                    d2:7e:fe:f8:32:b4:68:4c:29:34:aa:0d:33:e9:87:
                    72:38:e3:80:44:90:f4:2e:0b:6f:4c:f9:9a:3b:d2:
                    76:d3:b7:69:92:e1:60:1d:2a:90:62:85:7c:e2:10:
                    3c:12:1f:b4:61:77:32:b2:d0:2b:13:b8:57:89:53:
                    2d:f2:35:75:28:32:0f:9e:1c:d4:6b:bb:86:cf:10:
                    36:eb:df:24:f7:84:fe:84:94:da:49:d7:a2:c2:2f:
                    e4:ad:37:7f:55:55:f3:80:01:95:81:be:ea:31:02:
                    9e:c5:c8:1f:a2:c8:42:39:a1:0a:a3:80:9a:46:b8:
                    ab:55:4a:9d:71:d7:b8:4a:03:f0:f7:aa:10:a2:34:
                    dc:cd:04:1f:34:57:4c:ac:b3:3b:dc:a2:1a:6b:73:
                    e7:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation
            X509v3 Subject Key Identifier: 
                91:4F:84:13:A5:69:3C:3B:F0:7D:78:34:74:DC:55:F0:90:34:BF:9E
            X509v3 Authority Key Identifier: 
                keyid:EC:DA:EF:92:48:28:07:D4:E2:6C:84:E2:60:96:57:49:4F:36:A2:C4
                DirName:/CN=ponytown CA
                serial:7B

    Signature Algorithm: sha256WithRSAEncryption
         11:3b:dc:12:c9:75:ad:fa:76:38:8e:9d:5c:eb:43:2d:4d:22:
         92:45:f9:a4:be:4e:c7:b6:92:30:de:ed:ac:35:97:55:48:5a:
         c6:49:0a:90:11:e2:5a:c4:88:17:85:cd:72:6f:0e:9f:fe:79:
         11:ee:ec:ef:7f:c7:91:ec:90:d2:e0:49:94:2e:d8:95:80:b0:
         3d:22:80:fd:79:20:2c:56:44:45:99:e7:75:e0:61:81:eb:36:
         47:26:b5:61:dc:85:80:c9:79:13:b6:75:b9:44:d0:2f:f3:b5:
         8e:1e:92:d6:5a:a2:9c:bf:d5:82:5d:1a:17:b1:ac:9c:97:86:
         07:0c:b9:0f:fd:bb:3b:91:fb:9b:cf:14:43:c1:84:97:ca:67:
         3f:d7:f8:ac:05:47:61:aa:fe:94:e8:dd:84:77:77:5e:0c:cd:
         96:37:f9:24:73:8b:2f:49:fd:82:89:a0:f0:21:02:d3:cb:95:
         8c:96:73:7c:60:c8:87:58:5f:eb:96:f1:25:d3:5c:4a:42:97:
         d3:ad:5d:2b:9b:a8:06:7c:85:93:4e:0e:9c:9a:c9:3a:99:f8:
         f0:9d:76:82:47:56:79:67:40:62:d3:65:5f:8f:de:c5:04:44:
         ab:89:d4:58:fb:38:c6:9d:63:36:c6:13:58:8e:24:f1:48:5b:
         8c:e0:89:91:ea:91:6c:af:86:4e:22:e0:49:69:37:51:9d:ac:
         36:f4:29:8d:d7:b9:32:fd:b4:73:e7:06:2d:bc:97:5d:4d:0f:
         50:20:1d:42:f5:04:a3:03:7e:0b:9e:29:c5:88:1f:c9:c9:8a:
         c1:fe:b8:50:99:4f:b4:11:50:3a:f6:d4:68:58:10:3c:72:97:
         6d:5d:67:f1:fb:64:26:36:c7:3b:f1:24:25:f1:7c:84:63:8f:
         e2:d5:bb:a5:c8:8d:17:4b:c5:22:e4:df:f4:51:47:0e:2c:a0:
         89:84:f9:22:38:4b:e3:f6:f2:d1:da:7a:f6:35:a1:35:63:2c:
         7e:d8:fb:6c:b7:ed
-----BEGIN CERTIFICATE-----
MIIDuTCCAiGgAwIBAgICAcgwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAwwdcG9u
eXRvd24gbGV2ZWwgMiBpbnRlcm1lZGlhdGUwHhcNMTYwNTIwMjE1OTI0WhcNMTYw
NjE5MjE1OTI0WjAZMRcwFQYDVQQDDA50ZXN0c2VydmVyLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANqZtXZ7/xgvYQIXYqSAWCHMAYEMcZ88CF4Z
il77221mZzTC5rkw9rGNkYcj4U+kdmz+icMDtqA88iKEG7IrtItZI/MjBBlk/FNN
0n7++DK0aEwpNKoNM+mHcjjjgESQ9C4Lb0z5mjvSdtO3aZLhYB0qkGKFfOIQPBIf
tGF3MrLQKxO4V4lTLfI1dSgyD54c1Gu7hs8QNuvfJPeE/oSU2knXosIv5K03f1VV
84ABlYG+6jECnsXIH6LIQjmhCqOAmka4cF9lEfCAbrmnRLpaUiOOXLcmHxi/e+TC
03TjFTn4q1VKnXHXuEoD8PeqEKI03M0EHzRXTKyzO9yiGmtz52UCAwEAAaN8MHow
DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBsAwHQYDVR0OBBYEFJFPhBOlaTw78H14
NHTcVfCQNL+eMD4GA1UdIwQ3MDWAFOza75JIKAfU4myE4mCWV0lPNqLEoRqkGDAW
MRQwEgYDVQQDDAtwb255dG93biBDQYIBezANBgkqhkiG9w0BAQsFAAOCAYEAETvc
Esl1rfp2OI6dXOtDLU0ikkX5pL5Ox7aSMN7trDWXVUhaxkkKkBHiWsSIF4XNcm8O
n/55Ee7s73/HkeyQ0uBJlC7YlYCwPSKA/XkgLFZERZnndeBhges2Rya1YdyFgMl5
E7Z1uUTQL/O1jh6S1lqinL/Vgl0aF7GsnJeGBwy5D/27O5H7m88UQ8GEl8pnP9f4
rAVHYar+lOjdhHd3XgzNljf5JHOLL0n9gomg8CEC08uVjJZzfGDIh1hf65bxJdNc
SkKX061dK5uoBnyFk04OnJrJOpn48J12gkdWeWdAYtNlX4/exQREq4nUWPs4xp1j
NsYTWI4k8UhbjOCJkeqRbK+GTiLgSWk3UZ2sNvQpjde5Mv20c+cGLbyXXU0PUCAd
QvUEowN+C54pxYgfycmKwf64UJlPtBFQOvbUaFgQPHKXbV1n8ftkJjbHO/EkJfF8
hGOP4tW7pciNF0vFIuTf9FFHDiygiYT5IjhL4/by0dp69jWhNWMsftj7bLft
-----END CERTIFICATE-----

I'd expect verify_cert_dns_name to say Ok to that for the input "testserver.com", but it says CertNotValidForName.

Here's a minimal test program:

extern crate webpki;
extern crate ring;

fn main() {
  let bytes = vec![
    0x30, 0x82, 0x03, 0xb9, 0x30, 0x82, 0x02, 0x21, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x02, 0x01,
    0xc8, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
    0x30, 0x28, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1d, 0x70, 0x6f, 0x6e,
    0x79, 0x74, 0x6f, 0x77, 0x6e, 0x20, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x20, 0x32, 0x20, 0x69, 0x6e,
    0x74, 0x65, 0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, 0x65, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36,
    0x30, 0x35, 0x32, 0x30, 0x32, 0x31, 0x35, 0x39, 0x32, 0x34, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30,
    0x36, 0x31, 0x39, 0x32, 0x31, 0x35, 0x39, 0x32, 0x34, 0x5a, 0x30, 0x19, 0x31, 0x17, 0x30, 0x15,
    0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0e, 0x74, 0x65, 0x73, 0x74, 0x73, 0x65, 0x72, 0x76, 0x65,
    0x72, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
    0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
    0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xda, 0x99, 0xb5, 0x76, 0x7b, 0xff, 0x18, 0x2f, 0x61, 0x02,
    0x17, 0x62, 0xa4, 0x80, 0x58, 0x21, 0xcc, 0x01, 0x81, 0x0c, 0x71, 0x9f, 0x3c, 0x08, 0x5e, 0x19,
    0x8a, 0x5e, 0xfb, 0xdb, 0x6d, 0x66, 0x67, 0x34, 0xc2, 0xe6, 0xb9, 0x30, 0xf6, 0xb1, 0x8d, 0x91,
    0x87, 0x23, 0xe1, 0x4f, 0xa4, 0x76, 0x6c, 0xfe, 0x89, 0xc3, 0x03, 0xb6, 0xa0, 0x3c, 0xf2, 0x22,
    0x84, 0x1b, 0xb2, 0x2b, 0xb4, 0x8b, 0x59, 0x23, 0xf3, 0x23, 0x04, 0x19, 0x64, 0xfc, 0x53, 0x4d,
    0xd2, 0x7e, 0xfe, 0xf8, 0x32, 0xb4, 0x68, 0x4c, 0x29, 0x34, 0xaa, 0x0d, 0x33, 0xe9, 0x87, 0x72,
    0x38, 0xe3, 0x80, 0x44, 0x90, 0xf4, 0x2e, 0x0b, 0x6f, 0x4c, 0xf9, 0x9a, 0x3b, 0xd2, 0x76, 0xd3,
    0xb7, 0x69, 0x92, 0xe1, 0x60, 0x1d, 0x2a, 0x90, 0x62, 0x85, 0x7c, 0xe2, 0x10, 0x3c, 0x12, 0x1f,
    0xb4, 0x61, 0x77, 0x32, 0xb2, 0xd0, 0x2b, 0x13, 0xb8, 0x57, 0x89, 0x53, 0x2d, 0xf2, 0x35, 0x75,
    0x28, 0x32, 0x0f, 0x9e, 0x1c, 0xd4, 0x6b, 0xbb, 0x86, 0xcf, 0x10, 0x36, 0xeb, 0xdf, 0x24, 0xf7,
    0x84, 0xfe, 0x84, 0x94, 0xda, 0x49, 0xd7, 0xa2, 0xc2, 0x2f, 0xe4, 0xad, 0x37, 0x7f, 0x55, 0x55,
    0xf3, 0x80, 0x01, 0x95, 0x81, 0xbe, 0xea, 0x31, 0x02, 0x9e, 0xc5, 0xc8, 0x1f, 0xa2, 0xc8, 0x42,
    0x39, 0xa1, 0x0a, 0xa3, 0x80, 0x9a, 0x46, 0xb8, 0x70, 0x5f, 0x65, 0x11, 0xf0, 0x80, 0x6e, 0xb9,
    0xa7, 0x44, 0xba, 0x5a, 0x52, 0x23, 0x8e, 0x5c, 0xb7, 0x26, 0x1f, 0x18, 0xbf, 0x7b, 0xe4, 0xc2,
    0xd3, 0x74, 0xe3, 0x15, 0x39, 0xf8, 0xab, 0x55, 0x4a, 0x9d, 0x71, 0xd7, 0xb8, 0x4a, 0x03, 0xf0,
    0xf7, 0xaa, 0x10, 0xa2, 0x34, 0xdc, 0xcd, 0x04, 0x1f, 0x34, 0x57, 0x4c, 0xac, 0xb3, 0x3b, 0xdc,
    0xa2, 0x1a, 0x6b, 0x73, 0xe7, 0x65, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7c, 0x30, 0x7a, 0x30,
    0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0b, 0x06,
    0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x06, 0xc0, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
    0x0e, 0x04, 0x16, 0x04, 0x14, 0x91, 0x4f, 0x84, 0x13, 0xa5, 0x69, 0x3c, 0x3b, 0xf0, 0x7d, 0x78,
    0x34, 0x74, 0xdc, 0x55, 0xf0, 0x90, 0x34, 0xbf, 0x9e, 0x30, 0x3e, 0x06, 0x03, 0x55, 0x1d, 0x23,
    0x04, 0x37, 0x30, 0x35, 0x80, 0x14, 0xec, 0xda, 0xef, 0x92, 0x48, 0x28, 0x07, 0xd4, 0xe2, 0x6c,
    0x84, 0xe2, 0x60, 0x96, 0x57, 0x49, 0x4f, 0x36, 0xa2, 0xc4, 0xa1, 0x1a, 0xa4, 0x18, 0x30, 0x16,
    0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0b, 0x70, 0x6f, 0x6e, 0x79, 0x74,
    0x6f, 0x77, 0x6e, 0x20, 0x43, 0x41, 0x82, 0x01, 0x7b, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
    0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x81, 0x00, 0x11, 0x3b, 0xdc,
    0x12, 0xc9, 0x75, 0xad, 0xfa, 0x76, 0x38, 0x8e, 0x9d, 0x5c, 0xeb, 0x43, 0x2d, 0x4d, 0x22, 0x92,
    0x45, 0xf9, 0xa4, 0xbe, 0x4e, 0xc7, 0xb6, 0x92, 0x30, 0xde, 0xed, 0xac, 0x35, 0x97, 0x55, 0x48,
    0x5a, 0xc6, 0x49, 0x0a, 0x90, 0x11, 0xe2, 0x5a, 0xc4, 0x88, 0x17, 0x85, 0xcd, 0x72, 0x6f, 0x0e,
    0x9f, 0xfe, 0x79, 0x11, 0xee, 0xec, 0xef, 0x7f, 0xc7, 0x91, 0xec, 0x90, 0xd2, 0xe0, 0x49, 0x94,
    0x2e, 0xd8, 0x95, 0x80, 0xb0, 0x3d, 0x22, 0x80, 0xfd, 0x79, 0x20, 0x2c, 0x56, 0x44, 0x45, 0x99,
    0xe7, 0x75, 0xe0, 0x61, 0x81, 0xeb, 0x36, 0x47, 0x26, 0xb5, 0x61, 0xdc, 0x85, 0x80, 0xc9, 0x79,
    0x13, 0xb6, 0x75, 0xb9, 0x44, 0xd0, 0x2f, 0xf3, 0xb5, 0x8e, 0x1e, 0x92, 0xd6, 0x5a, 0xa2, 0x9c,
    0xbf, 0xd5, 0x82, 0x5d, 0x1a, 0x17, 0xb1, 0xac, 0x9c, 0x97, 0x86, 0x07, 0x0c, 0xb9, 0x0f, 0xfd,
    0xbb, 0x3b, 0x91, 0xfb, 0x9b, 0xcf, 0x14, 0x43, 0xc1, 0x84, 0x97, 0xca, 0x67, 0x3f, 0xd7, 0xf8,
    0xac, 0x05, 0x47, 0x61, 0xaa, 0xfe, 0x94, 0xe8, 0xdd, 0x84, 0x77, 0x77, 0x5e, 0x0c, 0xcd, 0x96,
    0x37, 0xf9, 0x24, 0x73, 0x8b, 0x2f, 0x49, 0xfd, 0x82, 0x89, 0xa0, 0xf0, 0x21, 0x02, 0xd3, 0xcb,
    0x95, 0x8c, 0x96, 0x73, 0x7c, 0x60, 0xc8, 0x87, 0x58, 0x5f, 0xeb, 0x96, 0xf1, 0x25, 0xd3, 0x5c,
    0x4a, 0x42, 0x97, 0xd3, 0xad, 0x5d, 0x2b, 0x9b, 0xa8, 0x06, 0x7c, 0x85, 0x93, 0x4e, 0x0e, 0x9c,
    0x9a, 0xc9, 0x3a, 0x99, 0xf8, 0xf0, 0x9d, 0x76, 0x82, 0x47, 0x56, 0x79, 0x67, 0x40, 0x62, 0xd3,
    0x65, 0x5f, 0x8f, 0xde, 0xc5, 0x04, 0x44, 0xab, 0x89, 0xd4, 0x58, 0xfb, 0x38, 0xc6, 0x9d, 0x63,
    0x36, 0xc6, 0x13, 0x58, 0x8e, 0x24, 0xf1, 0x48, 0x5b, 0x8c, 0xe0, 0x89, 0x91, 0xea, 0x91, 0x6c,
    0xaf, 0x86, 0x4e, 0x22, 0xe0, 0x49, 0x69, 0x37, 0x51, 0x9d, 0xac, 0x36, 0xf4, 0x29, 0x8d, 0xd7,
    0xb9, 0x32, 0xfd, 0xb4, 0x73, 0xe7, 0x06, 0x2d, 0xbc, 0x97, 0x5d, 0x4d, 0x0f, 0x50, 0x20, 0x1d,
    0x42, 0xf5, 0x04, 0xa3, 0x03, 0x7e, 0x0b, 0x9e, 0x29, 0xc5, 0x88, 0x1f, 0xc9, 0xc9, 0x8a, 0xc1,
    0xfe, 0xb8, 0x50, 0x99, 0x4f, 0xb4, 0x11, 0x50, 0x3a, 0xf6, 0xd4, 0x68, 0x58, 0x10, 0x3c, 0x72,
    0x97, 0x6d, 0x5d, 0x67, 0xf1, 0xfb, 0x64, 0x26, 0x36, 0xc7, 0x3b, 0xf1, 0x24, 0x25, 0xf1, 0x7c,
    0x84, 0x63, 0x8f, 0xe2, 0xd5, 0xbb, 0xa5, 0xc8, 0x8d, 0x17, 0x4b, 0xc5, 0x22, 0xe4, 0xdf, 0xf4,
    0x51, 0x47, 0x0e, 0x2c, 0xa0, 0x89, 0x84, 0xf9, 0x22, 0x38, 0x4b, 0xe3, 0xf6, 0xf2, 0xd1, 0xda,
    0x7a, 0xf6, 0x35, 0xa1, 0x35, 0x63, 0x2c, 0x7e, 0xd8, 0xfb, 0x6c, 0xb7, 0xed
  ];

  let input = ring::input::Input::new(&bytes).unwrap();
  let name = ring::input::Input::new("testserver.com".as_bytes()).unwrap();
  let rc = webpki::verify_cert_dns_name(input, name);
  println!("rc = {:?}", rc);
}

I think the issue is a missing match of GeneralName::DirectoryName in the closure given to iterate_names.

@briansmith
Copy link
Owner

I think the issue is a missing match of GeneralName::DirectoryName in the closure given to iterate_names.

No, that's not it. It's simpler: I just didn't implement the fallback to parsing dNSName and iPAddress out of Subject CNs because I wasn't sure if it was worth doing.

This is similar to other things I dropped (compared to mozilla::pkix), such as dropping support for v1 certificates.

I don't think I strongly object to the fallback being added back, but I'm not planning to do it myself soon.

@ctz
Copy link
Contributor Author

ctz commented May 21, 2016

I checked the CAB baseline requirements and subjectAltName is indeed required, so I've decided I also don't care very much. My knowledge of how this all works in about 10 years out of date :)

Thanks! 👍

@briansmith
Copy link
Owner

OK, I'm closing this. My goal is to avoid the bad stuff, and the Subject CN overloading is pretty bad, so I'm glad to not implement it.

@emk
Copy link

emk commented Nov 17, 2021

Thank you very much to everyone who tracked this down!

I just discovered that citusdata.com uses CN-only certificates for PostgreSQL databases. These will fail with BadCertificate because of the issue discussed above. As expected, the following output lacks a DNS: line:

❯ openssl s_client -starttls postgres -showcerts -connect c.$DATABASE_NAME.db.citusdata.com:5432 </dev/null 2>/dev/null | openssl x509 -noout -text | grep db.citusdata.com
        Subject: CN = *.$DATABASE_NAME.db.citusdata.com

Citus was acquired by Microsoft, and it will be shut down early next year. So this isn't necessarily a pressing issue. But these broken certs are still used by major vendors, in at least some cases.

(Oh, and I only figured this out because I'm trying to get dbcrossbar running on the new ARM Macs, and this is one of the last issues, AFAICT. Before ARM, we used openssl, but it caused endless distribution issues.)

emk added a commit to dbcrossbar/dbcrossbar that referenced this issue Nov 17, 2021
Known issues:

- Unit tests appear to hang.
- Citus certificates don't work because of
  briansmith/webpki#11.
@briansmith briansmith reopened this Dec 10, 2021
@briansmith
Copy link
Owner

I am open to providing not-enabled-by-default support for DNS names in the subject common name field. It would be good for somebody to design the API for people to opt into that. In general we don't have a configuration API in this crate; this would be one of the first bits of configuration. I filed #249 for designing and implementing the base configuration API on top of which we can add configuration such as this.

emk added a commit to dbcrossbar/dbcrossbar that referenced this issue Dec 15, 2021
Known issues:

- Unit tests appear to hang.
- Citus certificates don't work because of
  briansmith/webpki#11.
emk added a commit to dbcrossbar/dbcrossbar that referenced this issue Dec 15, 2021
We switch to `rustls`. Unfortunately, this change sacrifices Citus
Data compatibility because of
briansmith/webpki#11. It should allow
support for M1 Macs and eventually many other platforms, however.
@emk
Copy link

emk commented Dec 15, 2021

Thank you for looking to this!

Since Citus Data has only weeks to live, I'm switching dbcrossbar over webpki ahead of schedule.

Unfortunately, it's unlikely that we'll be able to work on support for DNS names in the common name field in the foreseeable future.

And of course, many thanks for providing very useful TLS support in Rust!

emk added a commit to dbcrossbar/dbcrossbar that referenced this issue Dec 15, 2021
We switch to `rustls`. Unfortunately, this change sacrifices Citus
Data compatibility because of
briansmith/webpki#11. It should allow
support for M1 Macs and eventually many other platforms, however.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants