-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rcgen should refuse emply subject_alt_names #73
Comments
Yeah this is a general issue with webpki. You should be glad it's not BadDer as that's like half of webpki's errors ;). openssl is defintely better in that regard. If you have problems with a certificate, I recommend you try it out with openssl or one of its forks. I'm not really sure I want to refuse an empty |
My main purpose about this issue was for other to find it if they run into this problem too.
I wouldn't be surprise, it's must be a HTTP specific rule or something. I'm fighting with webpki since I start trying to use rustls. I don't understand why rustls have pick webpki, it's too much web oriented, I finally have my simple server running with self signed cert with client authentication, I don't require any verification with webpki cause client only accept the server certificate and same for the server that only accept a list of certificate client and they are exchange securely, only take me weeks to understand how to avoid webpki verification of self signed cert. And now I will live with my dummy subject_alt_names ;) well can't hurt at least they have name now. maybe:
I can't follow a RFC this big |
Cause webpki refuse it https://github.com/briansmith/webpki/blob/17d9189981a618120fd8217a913828e7418e2484/src/cert.rs#L98-L107
It's lead to:
(not a very explicit error).
I suggest at the very least that
generate_simple_self_signed
refuse empty vec.The text was updated successfully, but these errors were encountered: