aboutsummaryrefslogtreecommitdiffstats
path: root/util/x509.lua
diff options
context:
space:
mode:
authorPaul Aurich <paul@darkrain42.org>2011-05-22 14:06:18 -0700
committerPaul Aurich <paul@darkrain42.org>2011-05-22 14:06:18 -0700
commit03422d0c34a58137fef9402b8cdce4e753d61999 (patch)
tree1350e60b5c46c8936c7a82143196d746cf75b026 /util/x509.lua
parent2fa9066d4206ad09ca74422d62d0096bbb39f8cf (diff)
downloadprosody-03422d0c34a58137fef9402b8cdce4e753d61999.tar.gz
prosody-03422d0c34a58137fef9402b8cdce4e753d61999.zip
util.x509: Update references to published RFCs
For TLS-CERTS, see http://tools.ietf.org/rfcdiff?url1=draft-saintandre-tls-server-id-check-10.txt&url2=rfc6125.txt
Diffstat (limited to 'util/x509.lua')
-rw-r--r--util/x509.lua12
1 files changed, 6 insertions, 6 deletions
diff --git a/util/x509.lua b/util/x509.lua
index 11f231a0..d3c55bb4 100644
--- a/util/x509.lua
+++ b/util/x509.lua
@@ -11,8 +11,8 @@
-- IDN libraries complicate that.
--- [TLS-CERTS] - http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-10
--- [XMPP-CORE] - http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-18
+-- [TLS-CERTS] - http://tools.ietf.org/html/rfc6125
+-- [XMPP-CORE] - http://tools.ietf.org/html/rfc6120
-- [SRV-ID] - http://tools.ietf.org/html/rfc4985
-- [IDNA] - http://tools.ietf.org/html/rfc5890
-- [LDAP] - http://tools.ietf.org/html/rfc4519
@@ -32,7 +32,7 @@ local oid_dnssrv = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID]
-- Compare a hostname (possibly international) with asserted names
-- extracted from a certificate.
-- This function follows the rules laid out in
--- sections 4.4.1 and 4.4.2 of [TLS-CERTS]
+-- sections 6.4.1 and 6.4.2 of [TLS-CERTS]
--
-- A wildcard ("*") all by itself is allowed only as the left-most label
local function compare_dnsname(host, asserted_names)
@@ -150,7 +150,7 @@ function verify_identity(host, service, cert)
if ext[oid_subjectaltname] then
local sans = ext[oid_subjectaltname];
- -- Per [TLS-CERTS] 4.3, 4.4.4, "a client MUST NOT seek a match for a
+ -- Per [TLS-CERTS] 6.3, 6.4.4, "a client MUST NOT seek a match for a
-- reference identifier if the presented identifiers include a DNS-ID
-- SRV-ID, URI-ID, or any application-specific identifier types"
local had_supported_altnames = false
@@ -183,7 +183,7 @@ function verify_identity(host, service, cert)
-- a dNSName subjectAltName (wildcards may apply for, and receive,
-- cat treats)
--
- -- Per [TLS-CERTS] 1.5, a CN-ID is the Common Name from a cert subject
+ -- Per [TLS-CERTS] 1.8, a CN-ID is the Common Name from a cert subject
-- which has one and only one Common Name
local subject = cert:subject()
local cn = nil
@@ -200,7 +200,7 @@ function verify_identity(host, service, cert)
end
if cn then
- -- Per [TLS-CERTS] 4.4.4, follow the comparison rules for dNSName SANs.
+ -- Per [TLS-CERTS] 6.4.4, follow the comparison rules for dNSName SANs.
return compare_dnsname(host, { cn })
end