Open jadamcrain opened 4 years ago
quininer
commented
4 years ago I don't understand your question, we didn't actually use dns, but x509 require us to provide a dnsname (see rfc).
If you don't want to verify hostname, then you probably should not use TLS either, and the noise protocol is a better choice.
jadamcrain
commented
4 years ago Core TLS/X.509 doesn't require the names in certificates to be a DNS name. You're confusing HTTPS and the usage of TLS on the web with the broader application of TLS. The part of the RFC you cite is for optional web-centric X.509 extensions.
While I like noise and have played with it in other applications, I'm implementing a 3rd party spec, Modbus over TLS, so I can't just choose another protocol. I've opened a ticket on Rustls itself, since the limitation appears to be on their end.
quininer
commented
4 years ago makes sense, I will follow it if rustls change.
In many machine to machine applications, there is no DNS. Is it possible to use tokio-rustls w/o the DNS name validation (DNSNameRef)? I just want mutual authentication using x.509.