Update the "Known Issues"

author Artem Boldariev <artem@boldariev.com>

Mon, 21 Feb 2022 08:25:41 +0000 (10:25 +0200)

committer Artem Boldariev <artem@boldariev.com>

Mon, 28 Mar 2022 13:22:53 +0000 (16:22 +0300)
author Artem Boldariev <artem@boldariev.com>
Mon, 21 Feb 2022 08:25:41 +0000 (10:25 +0200)
committer Artem Boldariev <artem@boldariev.com>
Mon, 28 Mar 2022 13:22:53 +0000 (16:22 +0300)
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst

index 5e6097a09069a6b6e6bafa5eb926aa411ab7231a..16ec7999ddf1c0815c7877c43a16cf1e4afaea60 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -42,7 +42,16 @@ Security Fixes
  Known Issues
  ~~~~~~~~~~~~
  
-- None.
+- According to RFC 8310, Section 8.1, the Subject field MUST NOT be
+  inspected when verifying a remote certificate while establishing a
+  DNS-over-TLS connection. Only SubjectAltName must be checked
+  instead. Unfortunately, some quite old versions of cryptographic
+  libraries might lack the functionality to ignore the Subject
+  field. It should have minimal production use consequences, as most
+  of the production-ready certificates issued by certificate
+  authorities will have SubjectAltNames set. In such a case, the
+  Subject field is ignored. Only old platforms are affected by this,
+  e.g., those supplied with OpenSSL versions older than 1.1.1.
  
  New Features
  ~~~~~~~~~~~~
author	Artem Boldariev <artem@boldariev.com>
	Mon, 21 Feb 2022 08:25:41 +0000 (10:25 +0200)
committer	Artem Boldariev <artem@boldariev.com>
	Mon, 28 Mar 2022 13:22:53 +0000 (16:22 +0300)