[openssl-users] Hostname validation
Dr. Stephen Henson
steve at openssl.org
Tue Jan 27 21:02:41 UTC 2015
On Tue, Jan 27, 2015, Serj wrote:
> Hi, Viktor.
>
> 27.01.2015, 23:07, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> > It is complete enough. The word "mumble" is not meant to be taken
>
> You full code from wiki is:
>
> const char *servername;
> SSL *ssl;
> X509_VERIFY_PARAM *param;
>
> servername = "www.example.com";
> ssl = SSL_new(...);
> param = SSL_get0_param(ssl);
>
> /* Enable automatic hostname checks */
> X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
> X509_VERIFY_PARAM_set1_host(param, servername, 0);
>
> /* Configure a non-zero callback if desired */
> SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
>
> /*
> * Establish SSL connection, hostname should be checked
> * automatically test with a hostname that should not match,
> * the connection will fail (unless you specify a callback
> * that returns despite the verification failure. In that
> * case SSL_get_verify_status() can expose the problem after
> * connection completion.
> */
> ...
>
> You set here only "param":
> X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
> X509_VERIFY_PARAM_set1_host(param, servername, 0);
>
> But how this variable is associated with "ssl" object or "ctx" object?
> I don't understand really! Please explain more in detail.
>
It's this:
param = SSL_get0_param(ssl);
Because SSL_get0_param retrieves the internal pointer to parameters used by
ssl: so if you modify those parameters the modified versions will be used by
ssl.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list