-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
During parsing, accept v1 certificates and allow certificates without subjectAltName #219
Comments
@briansmith : From our perspective it would be great if v3 certificates would be accepted regardless of whether they have extensions. AFAIU, the relevant code is here. The der::nested currently returns the Do you have plans to address this anytime soon? |
@robin-kunzler it seems to work for me with this small change to the code you pointed at #241 |
@briansmith, we would like to use Would you therefore be OK with merging #241? If you would like to have changes to #241, we would be happy to create a respective PR. |
@briansmith, did you already have time to look at this? Support for certificates without extensions is very important for our project. Judging from the number of 👍 on your original comment, it seem others would also be interested in this. So if there is anything that can be done to help getting this supported (e.g., adapt #241, or create an entirely different PR), please let me know. Thanks! |
Yes, I am planning to accept the PR. #248 is my current priority for this project and that work will unblock #241 and others. |
Specifically, here is my plan:
|
@briansmith any progress on this? As far as I see it still fails and I specifically need to verify the self-signed certificate with only a common name present (no SubjectAltName). Thanks! |
@blind-oracle, if your certificate is v3, then you could use the rustls/webpki fork, where this is now supported. |
Currently, constructing an
EndEntityCert
will fail unless the certificate is a v3 certificate with a subjectAltName extension.Instead, the following should happen:
If/when the subject name is validated, then name validation should always fail if no name matches are found, regardless of whether there was a subjectAltName extension and regardless of the version.
The text was updated successfully, but these errors were encountered: