[ipxe-devel] Proposed patch: support for SSL subjectAlternativeName certificates, two other useful features

Michael Brown mcb30 at ipxe.org
Mon Mar 31 13:17:19 UTC 2014


On 25/11/13 19:12, Alex Chernyakhovsky wrote:
> Are there any other comments or concerns with this patchset? I'd love to
> see it merged.

The subjectAltName and wildcard certificate feature is now pushed:

   http://git.ipxe.org/ipxe.git/commitdiff/f10726c

I'm unsure how subjectAltName is intended to be used with CMS (code 
signing).  The current code will accept either the commonName or any 
dNSName-typed subjectAltName as a match for a certificate name, for both 
TLS and CMS.  It seems plausible that CMS might expect to match on 
e-mail addresses (rfc822Name) rather than DNS names (dNSName), but I 
can't find any definitive documentation on this.  Any input welcome.

Thanks!

Michael



More information about the ipxe-devel mailing list