----- Original Message -----
From: "Owen DeLong" <owen@delong.com>
However, that's for the resolver library. In terms of matching the CN in a certificate, this should always be FQDN and the trailing dot should not be present. If OpenSSL (the command line tool) is passing foo.blah.com. to the SSL functions and not just getaddrinfo(), then, it is a bug.
If I understood Brian correctly, his problem is that people/programs are trying to retrieve things from, eg: https://my.host.name./this/is/a/path and the SSL library fails the certificate match if the cert doesn't contain the absolute domain name as an altName -- because *the browser* (or whatever) does not normalize before calling the library. As I suggest in another thread, I think the SSL library probably ought to be normalizing off that trailing dot itself, before trying to match the string supplied to the names in the retrieved cert. It sounds as if you might agree with me, at least in principle. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274