On Feb 10, 2009, at 8:29 AM, h.b.furuseth@usit.uio.no wrote:
quanah@zimbra.com writes:
This is because the Cert vendors themselves don't honor the RFC's when issuing wildcard certs, and was added so that their broken wildcard certs could still be used.
In that case, maybe there should be a config option to turn this behavior on/off, and documentation which explains that it breaks TLS the standard and why it does so.
I think it reasonable to be liberal in what we accept in this particular case.
It's not like someone is actually going to name a host '*'. If they do, their certificate matching more hosts than they expect will be just one of many problems they face.
If nothing else, it may get more people to complain to the cert vendors.
Far more persons would complain to the OpenLDAP Project.