←back to thread

Just want simple TLS for your .internal network?

(github.com)
246 points nh2 | 2 comments | 18 Oct 24 06:10 UTC | HN request time: 0.565s | source
Show context
christina97 ◴[22 Oct 24 13:19 UTC] No.41913958[source]
Dumb question: lots of folks are talking about name constraints not being understood by old clients since they don’t understand that extension. But is this not exactly the point of critical designation in extensions: is the client not supposed to fail if it comes across a critical extension it doesn’t understand?
replies(1): >>41916320 #
1. michaelt ◴[22 Oct 24 17:04 UTC] No.41916320[source]
For one thing, the fact something's supposed to fail on unexpected input doesn't always mean it will fail.

For another, some implementations thought they understood name constraints, but had bugs in their implementations. For example, applying name constraints correctly to the certificate's Subject Alternate Name but not applying them to the Common Name.

replies(1): >>41916601 #
2. dfox ◴[22 Oct 24 17:33 UTC] No.41916601[source]
As for the overall X.509 ecosystem (not limited to name constraints), the certification validation logic of common clients accepts various subtly, but completely, invalid certificates because CAs used to sign (or even use as root certificate) various kinds of invalid certificates, one can probably even find a certificate, that should be logically trusted, but isn't even a valid DER encoding of the (TBS)Certificate.