ice icon indicating copy to clipboard operation
ice copied to clipboard
verified publisher icon zeroc-ice

SChannel host name verification

Open pepone opened this issue 1 year ago • 1 comments

The Schannel implementation of Ice SSL transport calls IceSSL::SSLEngine::verifyPeerCertName to verify the peer certificate name.

We should switch to using the CertVerifyCertificateChainPolicy method provided by Schannel.

pepone avatar Apr 19 '24 20:04 pepone

The validation of the peer certificate name, doesn't include the alternate names so it would be a bit limiting to use this for verifying the peer certificate name. It is still useful to call CertVerifyCertificateChainPolicy for validating the certificate usage and other policy constraints.

pepone avatar Apr 22 '24 14:04 pepone

This was fixed in #2063 to use CertVerifyCertificateChainPolicy, we don't use the built-in name policy because it doesn't check for subject alt-names.

pepone avatar May 17 '24 15:05 pepone