nanog mailing list archives
Re: looking for terminology recommendations concerning non-rooted FQDNs
From: Owen DeLong <owen () delong com>
Date: Mon, 25 Feb 2013 09:38:11 -0800
On Feb 25, 2013, at 9:18 AM, Jay Ashworth <jra () baylink com> wrote:
----- Original Message -----From: "Owen DeLong" <owen () delong com>However, that's for the resolver library. In terms of matching the CN in a certificate, this should always be FQDN and the trailing dot should not be present. If OpenSSL (the command line tool) is passing foo.blah.com. to the SSL functions and not just getaddrinfo(), then, it is a bug.If I understood Brian correctly, his problem is that people/programs are trying to retrieve things from, eg: https://my.host.name./this/is/a/path and the SSL library fails the certificate match if the cert doesn't contain the absolute domain name as an altName -- because *the browser* (or whatever) does not normalize before calling the library. As I suggest in another thread, I think the SSL library probably ought to be normalizing off that trailing dot itself, before trying to match the string supplied to the names in the retrieved cert. It sounds as if you might agree with me, at least in principle.
I don't see any reason that the SSL library shouldn't normalize the name and remove the trailing dot. However, even if the SSL library does so, I see no valid reason that would relieve the browser of the obligation to do so as well. Be conservative in what you send (or pass to a library) and liberal in what you accept. Under that principle, the SSL library should accept either one and normalize it. However, the browser should also normalize what it passes to the SSL library. Owen
Current thread:
- Re: Should host/domain names travel over the internet with a trailing dot?, (continued)
- Re: Should host/domain names travel over the internet with a trailing dot? Mark Andrews (Feb 25)
- Re: Should host/domain names travel over the internet with a trailing dot? Mark Andrews (Feb 25)
- Re: Should host/domain names travel over the internet with a trailing dot? Brian Reichert (Feb 25)
- Re: Should host/domain names travel over the internet with a trailing dot? Jay Ashworth (Feb 25)
- Re: Should host/domain names travel over the internet with a trailing dot? Jimmy Hess (Feb 25)
- Re: Should host/domain names travel over the internet with a trailing dot? Jay Ashworth (Feb 25)
- Re: Should host/domain names travel over the internet with a trailing dot? Valdis . Kletnieks (Feb 26)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Owen DeLong (Feb 25)
- Re: looking for terminology recommendations concerning non-rooted FQDNs David Miller (Feb 25)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Jay Ashworth (Feb 25)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Owen DeLong (Feb 25)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Brian Reichert (Feb 25)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Doug Barton (Feb 25)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Brian Reichert (Feb 25)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Jay Ashworth (Feb 25)
- Message not available
- Re: looking for terminology recommendations concerning non-rooted FQDNs Brian Reichert (Feb 22)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Andrew Sullivan (Feb 22)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Rich Kulawiec (Feb 22)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Jay Ashworth (Feb 22)
- Re: looking for terminology recommendations concerning non-rooted FQDNs Mark Andrews (Feb 23)