nanog mailing list archives

Re: looking for terminology recommendations concerning non-rooted FQDNs

From: Jay Ashworth <jra () baylink com>
Date: Mon, 25 Feb 2013 12:18:00 -0500 (EST)

----- Original Message -----

From: "Owen DeLong" <owen () delong com>

However, that's for the resolver library. In terms of matching the CN
in a certificate, this should always be FQDN and the trailing dot
should not be present. If OpenSSL (the command line tool) is passing
foo.blah.com. to the SSL functions and not just getaddrinfo(), then,
it is a bug.


If I understood Brian correctly, his problem is that people/programs
are trying to retrieve things from, eg:

https://my.host.name./this/is/a/path

and the SSL library fails the certificate match if the cert doesn't contain
the absolute domain name as an altName -- because *the browser* (or whatever)
does not normalize before calling the library.

As I suggest in another thread, I think the SSL library probably ought to
be normalizing off that trailing dot itself, before trying to match the
string supplied to the names in the retrieved cert.

It sounds as if you might agree with me, at least in principle.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274

Current thread:

Re: Should host/domain names travel over the internet with a trailing dot?, (continued)
- - - Re: Should host/domain names travel over the internet with a trailing dot? Jay Ashworth (Feb 25)
    - Re: Should host/domain names travel over the internet with a trailing dot? Mark Andrews (Feb 25)
    - Re: Should host/domain names travel over the internet with a trailing dot? Mark Andrews (Feb 25)
    - Re: Should host/domain names travel over the internet with a trailing dot? Brian Reichert (Feb 25)
    - Re: Should host/domain names travel over the internet with a trailing dot? Jay Ashworth (Feb 25)
    - Re: Should host/domain names travel over the internet with a trailing dot? Jimmy Hess (Feb 25)
    - Re: Should host/domain names travel over the internet with a trailing dot? Jay Ashworth (Feb 25)
    - Re: Should host/domain names travel over the internet with a trailing dot? Valdis . Kletnieks (Feb 26)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Owen DeLong (Feb 25)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs David Miller (Feb 25)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Jay Ashworth (Feb 25)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Owen DeLong (Feb 25)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Brian Reichert (Feb 25)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Doug Barton (Feb 25)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Brian Reichert (Feb 25)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Jay Ashworth (Feb 25)
    - Message not available
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Brian Reichert (Feb 22)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Andrew Sullivan (Feb 22)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Rich Kulawiec (Feb 22)
    - Re: looking for terminology recommendations concerning non-rooted FQDNs Jay Ashworth (Feb 22)
  - Re: looking for terminology recommendations concerning non-rooted FQDNs Jay Ashworth (Feb 22)

(Thread continues...)