sternenseemann
commented
2 years ago This change means we now effectively ignore/don't verify the (possibly user provided) certname. Is this a problem or just a quirk of how x509 used to work?
Closed sternenseemann closed 2 years ago
sternenseemann
commented
2 years ago This change means we now effectively ignore/don't verify the (possibly user provided) certname. Is this a problem or just a quirk of how x509 used to work?
hannesm
commented
2 years ago thanks for your PR. I'll take a look soon. X509 used to be overly general in respect to that (accepting a list of pairs with hostname and fingerprint). Since 0.15.0 it is simpler by only accepting a single fingerprint (and thus no hostname is necessary). This change was also driven by enabling to authenticate certificates with no hostname, but only IP addresses.
sternenseemann
commented
2 years ago My guess would be that we may be able to drop the cert_hostname config option now, but I'm not sure how to best do that (with informing users? without breaking their configurations?).
hannesm
commented
2 years ago thanks, merged manually :)
Hex_cert_fingerprints has been renamed toHex_cert_fingerprint and no longer requires passing in a hostname.