[openssl-users] Hostname validation
Serj
rasjv at yandex.com
Tue Jan 27 20:21:03 UTC 2015
Hi, Viktor.
27.01.2015, 23:07, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> It is complete enough. The word "mumble" is not meant to be taken
You full code from wiki is:
const char *servername;
SSL *ssl;
X509_VERIFY_PARAM *param;
servername = "www.example.com";
ssl = SSL_new(...);
param = SSL_get0_param(ssl);
/* Enable automatic hostname checks */
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(param, servername, 0);
/* Configure a non-zero callback if desired */
SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
/*
* Establish SSL connection, hostname should be checked
* automatically test with a hostname that should not match,
* the connection will fail (unless you specify a callback
* that returns despite the verification failure. In that
* case SSL_get_verify_status() can expose the problem after
* connection completion.
*/
...
You set here only "param":
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(param, servername, 0);
But how this variable is associated with "ssl" object or "ctx" object?
I don't understand really! Please explain more in detail.
I know this function only SSL_CTX_set1_param() that associates "param" with context "ctx".
--
Best Regards,
Serj
More information about the openssl-users
mailing list