Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane

From: Viktor Dukhovni <openssl-users-SJqavsrRVuFg9hUCZPvPmw <at> public.gmane.org>
Subject: Re: Hostname validation
Newsgroups: gmane.comp.encryption.openssl.user
Date: Sunday 25th January 2015 17:57:06 UTC (over 3 years ago)
On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote:

> What is the best way to make hostname validation?
> 
> 1. http://wiki.openssl.org/index.php/Hostname_validation
> 2. X509_check_host that was added in OpenSSL 1.1.0.

The X509_check_host() interface is also available in OpenSSL 1.0.2
released a few days ago

    https://www.openssl.org/docs/crypto/X509_check_host.html

(the documentation should be updated to note the earlier availability).

Starting with 1.0.2, you can also ask OpenSSL to automatically
perform hostname checks during the SSL handshake on the application's
behalf:

    https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html
    https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html
    https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html
    https://www.openssl.org/docs/ssl/SSL_set_verify.html

Sadly, we're still lacking documentation of SSL_get0_param() which
is needed for a complete SSL hostname check recipe:

	const char *servername;
	SSL *ssl;
	X509_VERIFY_PARAM *param;

	servername = "www.example.com";
	ssl = SSL_new(...);
	param = SSL_get0_param(ssl);

	/* Enable automatic hostname checks */
	X509_VERIFY_PARAM_set_hostflags(param,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
	X509_VERIFY_PARAM_set1_host(param, servername, 0);

	/* Configure a non-zero callback if desired */
	SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);

	/*
	 * Establish SSL connection, hostname should be checked
	 * automatically test with a hostname that should not match,
	 * the connection will fail (unless you specify a callback
	 * that returns despite the verification failure.  In that
	 * case SSL_get_verify_status() can expose the problem after
	 * connection completion.
	 */
	 ...

> I don't know does the first one support wildcards or no! Seems
> to be: how does Curl_cert_hostcheck work - is the answer, but I
> don't know how it works.

Wildcard support is configured via the flags documented for
X509_check_host(),
the two most frequently useful are:

	X509_CHECK_FLAG_NO_WILDCARDS
	X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS

-- 
	Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
 
CD: 4ms