Eliza Weisman

We should probably change the documentation to reflect that this behavior is specific to the `err` argument. I think that was the _intent_ behind the original documentation.

Yeah, this is a Tokio 0.2 limitation — there is an upstream ticket about it: https://github.com/tokio-rs/tokio/issues/1838. As per https://github.com/tokio-rs/tokio/issues/1838#issuecomment-564216581, this limitation may be removed in the future.

> Hey Jon. Enjoyed your return to YouTube! I spent some time this past weekend switching logging over to the [tracing](https://github.com/tokio-rs/tracing) crate (formerly tokio-trace). I'll need some more time to...

@whiskeysierra > I wanted to assess both of these options but I'm missing a lot of background here. > Primarily the motivation and reason behind linkerd/webpki. > Why did you...

@MrFreezeex > Hi @hawkw, If I understand correctly this should be fixed with the latest edge release right? Since we've switched to a version of `webpki` that supports name constraints,...

Hmm, interesting! Thanks for looking into this @whiskeysierra, I guess we'll need to make additional changes in the proxy in order to support name constraints...

Welp, I think I've figured out what's going on here. The peer certificate verification is being performed through `rustls`, rather than calling into `rustls-webpki` directly. The proxy [currently depends on...

> I just tested it with the latest edge release and with a NON-matching name constraint (e.g. `.foo.local`) on the issuer certificate I now correctly see the linkerd control plane...

@whiskeysierra It does seem incorrect to me that the root CA's name constraint is not being checked, I'm trying to figure out why that would be happening. Can I get...

> I'm not sure where I went wrong last time, but I just tried - with a fresh set of CAs - to give you a full set of certificates....