upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 10:50:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Update the "Known Issues"

Browse source 
Mention that some old cryptographic library versions lack the
functionality to implement ignoring the Subject field (and thus the
Common Name) when establishing DoT connections.
This commit is contained in:
Artem Boldariev 2022-02-21 10:25:41 +02:00
parent 337943c047
commit 8c9532f8cf
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
doc/notes/notes-current.rst
View file

@ -20,7 +20,16 @@ Security Fixes
Known Issues
~~~~~~~~~~~~
- None.
- According to RFC 8310, Section 8.1, the Subject field MUST NOT be
inspected when verifying a remote certificate while establishing a
DNS-over-TLS connection. Only SubjectAltName must be checked
instead. Unfortunately, some quite old versions of cryptographic
libraries might lack the functionality to ignore the Subject
field. It should have minimal production use consequences, as most
of the production-ready certificates issued by certificate
authorities will have SubjectAltNames set. In such a case, the
Subject field is ignored. Only old platforms are affected by this,
e.g., those supplied with OpenSSL versions older than 1.1.1.
New Features
~~~~~~~~~~~~