Golang CertChecker hostname validation differs to OpenSSH

Michael Ströder michael at stroeder.com
Mon May 15 20:42:40 AEST 2017

Adam Eijdenberg wrote:
> I think this what "check_host_cert()" does, and as far as I can tell,
> OpenSSH only passes it the hostname (not "host:port").
> (for better or for worse, this would be roughly inline with X.509v3
> cert host matching, which also doesn't match on port numbers)

If possible OpenSSH IMO should not reproduce this particular deficiency of the TLS
hostname check.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170515/07c65840/attachment-0001.bin>

More information about the openssh-unix-dev mailing list