Re: SSL host name checking doesn't understand wildcard subdomains?
Re: SSL host name checking doesn't understand wildcard subdomains?
- Subject: Re: SSL host name checking doesn't understand wildcard subdomains?
- From: Jens Alfke <email@hidden>
- Date: Fri, 11 May 2012 15:52:58 -0700
On May 11, 2012, at 10:51 AM, I wrote: If I disable peer name verification by setting the kCFStreamSSLPeerName property to kCFNull, the connection succeeds. Presumably I can then check the hostname myself and interpret the “*” properly, but shouldn’t SecureTransport or CFNetwork be doing that?
…and, having just implemented that check, let me say that it’s not at all straightforward on iOS — because some genius in the Security team forgot to put SecCertificateCopyCommonName in the iOS public API, meaning that to get the peer name from the SSL connection you’d have to do a bunch of messy X.509 certificate parsing. Oh, joy. :-p
—Jens |
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden