Closed sternenseemann closed 2 years ago
This change means we now effectively ignore/don't verify the (possibly user provided) certname
. Is this a problem or just a quirk of how x509
used to work?
thanks for your PR. I'll take a look soon. X509 used to be overly general in respect to that (accepting a list of pairs with hostname and fingerprint). Since 0.15.0 it is simpler by only accepting a single fingerprint (and thus no hostname is necessary). This change was also driven by enabling to authenticate certificates with no hostname, but only IP addresses.
My guess would be that we may be able to drop the cert_hostname
config option now, but I'm not sure how to best do that (with informing users? without breaking their configurations?).
thanks, merged manually :)
Hex_cert_fingerprints has been renamed to
Hex_cert_fingerprint and no longer requires passing in a hostname.