[openssl-users] Hostname validation
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Jan 25 17:57:06 UTC 2015
On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote:
> What is the best way to make hostname validation?
>
> 1. http://wiki.openssl.org/index.php/Hostname_validation
> 2. X509_check_host that was added in OpenSSL 1.1.0.
The X509_check_host() interface is also available in OpenSSL 1.0.2
released a few days ago
https://www.openssl.org/docs/crypto/X509_check_host.html
(the documentation should be updated to note the earlier availability).
Starting with 1.0.2, you can also ask OpenSSL to automatically
perform hostname checks during the SSL handshake on the application's
behalf:
https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html
https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html
https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html
https://www.openssl.org/docs/ssl/SSL_set_verify.html
Sadly, we're still lacking documentation of SSL_get0_param() which
is needed for a complete SSL hostname check recipe:
const char *servername;
SSL *ssl;
X509_VERIFY_PARAM *param;
servername = "www.example.com";
ssl = SSL_new(...);
param = SSL_get0_param(ssl);
/* Enable automatic hostname checks */
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(param, servername, 0);
/* Configure a non-zero callback if desired */
SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
/*
* Establish SSL connection, hostname should be checked
* automatically test with a hostname that should not match,
* the connection will fail (unless you specify a callback
* that returns despite the verification failure. In that
* case SSL_get_verify_status() can expose the problem after
* connection completion.
*/
...
> I don't know does the first one support wildcards or no! Seems
> to be: how does Curl_cert_hostcheck work - is the answer, but I
> don't know how it works.
Wildcard support is configured via the flags documented for X509_check_host(),
the two most frequently useful are:
X509_CHECK_FLAG_NO_WILDCARDS
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
--
Viktor.
More information about the openssl-users
mailing list