[openssl-users] Hostname validation

Serj rasjv at yandex.com
Tue Jan 27 19:09:38 UTC 2015


Hi, Viktor.

27.01.2015, 20:23, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> I would set SSL verification parameters is to obtain the parameter
> handle via SSL_get0_param() or where appropriate SSL_CTX_get0_param(),
> and use the various X509_VERIFY_PARAM_mumble() functions to tweak
> the parameter object in place.

Why are not there any X509_VERIFY_PARAM_mumble() functions in your code?
So your code is not complete?
And if so why it was already added to wiki here: http://wiki.openssl.org/index.php/Hostname_validation


> As I mentioned, this function should be documented, but is not yet.
> The documentation for these functions is not yet written.  The way
> Yes, these need (more) documentation.

That's why maybe it is better to use X509_check_host() in "post conection checks" now?

It's strangely, why I read in documentaion:
----------------------------------------------------------------------------------
Applications are strongly advised to use this interface in preference to explicitly calling X509_check_host(3), hostname checks are out of scope with the DANE-EE(3) certificate usage, and the internal check will be suppressed as appropriate when DANE support is added to OpenSSL.
and no any documentation on how to set properly params for SSL or CTX!

NOTES
Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than explicitly calling X509_check_host(3). Host name checks are out of scope with the DANE-EE(3) certificate usage, and the internal checks will be suppressed as appropriate when DANE support is added to OpenSSL.
----------------------------------------------------------------------------------
and no any documentation on how to set properly params for SSL or CTX!


Maybe this code is right, while there is no full documentation yet:

  char servername[]="www.openssl.org\x0";
  X509_VERIFY_PARAM *param;
  param = X509_VERIFY_PARAM_new();

  //enable automatic hostname checks 
  X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
  X509_VERIFY_PARAM_set1_host(param, servername,0);
  SSL_CTX_set1_param(ctx, param); //is right if combined by a bitwise 'OR' operation
  
  //free param
  X509_VERIFY_PARAM_free(param);


--
Best Regards,

Serj


More information about the openssl-users mailing list