Certificate subject match validation

George-Theodor Serbana theodor.serbana96 at gmail.com
Sun Mar 29 10:00:03 UTC 2020 

Yes, indeed I don't want to take into account the CN, only the SANs. Thanks
for the extra flag and all the clarifications!

Best regards,
Theodor


>
>
> > >  > For now I am using X509_VERIFY_PARAM_set1_host with
> SSL_CTX_set1_param to
> > >  > do this specific check.
> > >
> > >  That's the slightly less convenient legacy API from OpenSSL 1.0.2.
> > >  In 1.1.0 and later, you can use SSL_set1_host() (and in some
> > >  cases also SSL_add1_host()).
> > >
> > >  See the SSL_set1_host(3) manpage for details.
> >
> > Indeed I re-read the docs and it says that users should not assume that
> > hostnames are validated by default without explicitly calling the API, I
> > must've missed that bit and thank you for letting me know. I will shift
> > towards using the newer SSL_set1_host together with some flags (I don't
> > want any wildcards).
>
> If your needs are sufficiently narrow to rule out connecting to sites
> that use wildcard certificates, perhaps they're also narrow enough to
> rule out sites that don't have subjectAltNames, in which case the
> flags could be:
>
> So you'll call either of (here a NULL callback, set a non-null callback
> if appropriate):
>
>     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);     /* Just once */
>     SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);         /* Per connection
> */
>
> followed by (per connection):
>
>     SSL_set1_host(ssl, "www.example.org");
>     SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_WILDCARDS
>                          | X509_CHECK_FLAG_NEVER_CHECK_SUBJECT);
>
> which also insists on a DNS subject altname (the preferred way to
> authenticate DNS names), and never looks at any CN field in the subject
> DN.
>
> > Now just to be extra safe I'm still asking: will the VERIFY_PEER option
> > together with SSL_set1_host instruct OpenSSL to perform all possible
> checks
> > on the certificate presented by the server such that no security breach
> > remains at this level? Is there anything else that I should call or
> perform
> > manually?
>
> No, the above is enough.
>
> --
>     Viktor.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200329/990319bc/attachment-0001.html>

More information about the openssl-users mailing list