>In the above case, had OpenSSL supported IDNs directly, it would have
>prevented this bug in the first place. That being said, since TLS
>essentially only uses A-labels as far as I can tell, I can’t necessarily
>say it’s wrong that OpenSSL doesn’t support IDNs.
RFCs 8398 and 8399 allow EAI mail addresses as Alternative Names and
suggest pretty strongly that even though the domains in certs are
A-labels, libraries should handle U-labels and convert where needed.
Since they have to handle U-labels in the EAI addresses, the domains
aren't a lot of extra work.
I presume that at some point OpenSSL will catch up with those RFCs but
I don't know what the schedule is.
As I wrote before, I've started to implement RFC 8399 and the show-stopper for now is obtaining a set of test cases.
OpenSSL team does not want to link OpenSSL with, say, libidn (and to implement IDN conversion inside the library for domains).
I've found out that 2-3 functions inherited from RFC 3492 will fit all the purposes necessary to implement RFC 8399.