IXWebSocket wss c++ client cannot connect to Node.js wss server using an ip address
Pierre-Luc Boily
pierreluc.boily at gmail.com
Thu Feb 16 18:21:56 UTC 2023
Hello,
I have a question regarding the flag "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS".
In the book of Ivan Ristic (Bullet Proof TLS and PKI), chapter 12,
section *Creating
Certificates for Multiple Hostnames*, the author uses a wildcard in the SAN
(*.feistyduck.com).
So, if the SAN has *.feistyduck.com and feistyduck.com, what will be
accepted with the above flag?
1. www.feistyduck.com ?
2. www.sub.feistyduck.com ?
3. www.sub.sub2.feistyduck.com ?
4. feistyduck.com ?
Thank you
Pierre-Luc
Le mer. 15 févr. 2023, à 12 h 28, Viktor Dukhovni <
openssl-users at dukhovni.org> a écrit :
> On Wed, Feb 15, 2023 at 09:45:01AM -0500, Pierre-Luc Boily wrote:
>
> > I guess that you also tell me to use another library because if this
> > simple thing (checking the ip address) is not well implemented, we
> > cannot trust the rest of the implementation!
>
> Actually, what disturbed me was not lack of support for IP addresses,
> but:
>
> - The library maintainer's handwaving response to the issue
> - The fact that reportedly in-application name checks have
> not yet been removed, though a decade or so obsolete.
>
> > So, I guess that I should do something like this instead :
>
> Yes, with minor tweaks:
>
> if (isIpAddress(host))
> {
> // We are connecting to an IP address. let OpenSSL validate the
> // IP address in SAN
> X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_connection);
> X509_VERIFY_PARAM_set1_host(param, NULL, 0);
> X509_VERIFY_PARAM_set1_ip_asc(param, host.c_str());
> }
> else
> {
> SSL_set1_host(_ssl_connection, host.c_str());
> // Both CN-ID and partial wildcards are deprecated
> // Optionally, reject all wildcards via:
> // X509_CHECK_FLAG_NO_WILDCARDS
> // See X509_check_host(3).
> //
> SSL_set_hostflags(_ssl_connection,
> X509_CHECK_FLAG_NEVER_CHECK_SUBJECT |
> X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
> }
>
> The hostname is presumed NUL-terminated, otherwise indeed use
> X509_VERIFY_PARAM_set1_host() also for hostnames. It would also be
> appropriate to check the success/failure of the various calls, check the
> documentation for details.
>
> If (very unlikely) you want to check the certificate for BOTH a matching
> name AND a matching IP address, you can set up the verification
> parameters to have both a hostname and an IP addresss.
>
> --
> Viktor.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230216/e4276f5d/attachment.htm>
More information about the openssl-users
mailing list