On Jun 2, 2016 7:06 PM, "Daniel Ruggeri" <DRuggeri@primary.net> wrote:
> On 6/1/2016 9:19 AM, William A Rowe Jr wrote:
> > Proposal...
> > CheckPeerName CheckPeerCN
> > unset | on unset | on CheckPeerName verification
> > off on *CheckPeerCN* verification
> > off unset | off no verification
> > unset | off off no verification
> > WDYT?
> ... but it is probably a very unlikely scenario for an administrator to
> want to disable checking of SAN entries but to enable checking of CN
> (the off/on scenario above). I'd argue it's reasonable to make both
> directives simple toggles CheckPeerName verification, but I still agree
> that we cannot make an existing config represent X in version 1.2.3 and
> represent Y in version 1.2.4 so CheckPeerCN logic should be retained.
You have me a little confused.
The existing (2.4.20) behavior is a superset of the legacy (2.4.4) behavior. Nobody has become confused since 2.4.5 that the program is suddenly accepting wildcard matches or altSubjectName matches.
They are confused because previously disabling CheckCN no longer disables the check.
There remains one and only config in the proposed fix which correctly processes CheckCN, and it happens to mirror a previously explicit and correct config.
Anyone upgrading since 2.4.4 with no directives at all will gain the benefit of wildcard and altSubjectName matches, which I don't see as detrimental. I think the patch as proposed is the best compromise, and hope the docs explanation is as clear as can be.