[openssl-users] Hostname validation

Serj rasjv at yandex.com
Mon Jan 26 10:03:16 UTC 2015



25.01.2015, 20:59, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
>  On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote:
>>   What is the best way to make hostname validation?
>>
>>   1. http://wiki.openssl.org/index.php/Hostname_validation
>>   2. X509_check_host that was added in OpenSSL 1.1.0.
>  The X509_check_host() interface is also available in OpenSSL 1.0.2
>  released a few days ago
>
>      https://www.openssl.org/docs/crypto/X509_check_host.html
>
>  (the documentation should be updated to note the earlier availability).
>
>  Starting with 1.0.2, you can also ask OpenSSL to automatically
>  perform hostname checks during the SSL handshake on the application's
>  behalf:
>
>      https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html
>      https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html
>      https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html
>      https://www.openssl.org/docs/ssl/SSL_set_verify.html
>
>  Sadly, we're still lacking documentation of SSL_get0_param() which
>  is needed for a complete SSL hostname check recipe:
>
>          const char *servername;
>          SSL *ssl;
>          X509_VERIFY_PARAM *param;
>
>          servername = "www.example.com";
>          ssl = SSL_new(...);
>          param = SSL_get0_param(ssl);
>
>          /* Enable automatic hostname checks */
>          X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
>          X509_VERIFY_PARAM_set1_host(param, servername, 0);
>
>          /* Configure a non-zero callback if desired */
>          SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
>
>          /*
>           * Establish SSL connection, hostname should be checked
>           * automatically test with a hostname that should not match,
>           * the connection will fail (unless you specify a callback
>           * that returns despite the verification failure.  In that
>           * case SSL_get_verify_status() can expose the problem after
>           * connection completion.
>           */
>           ...
>>   I don't know does the first one support wildcards or no! Seems
>>   to be: how does Curl_cert_hostcheck work - is the answer, but I
>>   don't know how it works.
>  Wildcard support is configured via the flags documented for X509_check_host(),
>  the two most frequently useful are:
>
>          X509_CHECK_FLAG_NO_WILDCARDS
>          X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
>
>  --
>          Viktor.
>  _______________________________________________
>  openssl-users mailing list
>  To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
Best Regards,

Serj

25.01.2015, 20:59, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote:
>>  What is the best way to make hostname validation?
>>
>>  1. http://wiki.openssl.org/index.php/Hostname_validation
>>  2. X509_check_host that was added in OpenSSL 1.1.0.
>
> The X509_check_host() interface is also available in OpenSSL 1.0.2
> released a few days ago
>
>     https://www.openssl.org/docs/crypto/X509_check_host.html
>
> (the documentation should be updated to note the earlier availability).
>
> Starting with 1.0.2, you can also ask OpenSSL to automatically
> perform hostname checks during the SSL handshake on the application's
> behalf:
>
>     https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html
>     https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html
>     https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html
>     https://www.openssl.org/docs/ssl/SSL_set_verify.html
>
> Sadly, we're still lacking documentation of SSL_get0_param() which
> is needed for a complete SSL hostname check recipe:
>
>         const char *servername;
>         SSL *ssl;
>         X509_VERIFY_PARAM *param;
>
>         servername = "www.example.com";
>         ssl = SSL_new(...);
>         param = SSL_get0_param(ssl);
>
>         /* Enable automatic hostname checks */
>         X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
>         X509_VERIFY_PARAM_set1_host(param, servername, 0);
>
>         /* Configure a non-zero callback if desired */
>         SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
>
>         /*
>          * Establish SSL connection, hostname should be checked
>          * automatically test with a hostname that should not match,
>          * the connection will fail (unless you specify a callback
>          * that returns despite the verification failure.  In that
>          * case SSL_get_verify_status() can expose the problem after
>          * connection completion.
>          */
>          ...
>>  I don't know does the first one support wildcards or no! Seems
>>  to be: how does Curl_cert_hostcheck work - is the answer, but I
>>  don't know how it works.
>
> Wildcard support is configured via the flags documented for X509_check_host(),
> the two most frequently useful are:
>
>         X509_CHECK_FLAG_NO_WILDCARDS
>         X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
>
> --
>         Viktor.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
Best Regards,

Serj


More information about the openssl-users mailing list