Closed Philonous closed 9 years ago
This is a pretty important patch. tls
cannot use any StartSSL class 1 certificates without it, in my testing.
Thanks @Philonous. Sorry, I've missed the PR in the first place. I've added support for AltNameXMPP and AltNameDNSSRV instead of ignoring them
The current parser for alternate names bails out when it sees a alternative name format it doesn't understand, even when it can parse others. This prevents tls from validating certificates against a domain that is not the main subject when such unsupported alternate names are present. My patch changes the parser to ignore any fields it doesn't understand. This is certainly a crude hack, but it at least allows me to connect to the server.
As an example, this gist (https://gist.github.com/Philonous/9452127 ) includes a certificate for jabberd.draugr.de, to which you would usually connect via the alternate name draugr.de .