The smallest minimal example of an HTTPS GET request with openssl

Viktor Dukhovni openssl-users at
Sat Mar 30 20:50:17 UTC 2019

> On Mar 30, 2019, at 4:28 PM, Ivan Medoedov <ivan.medoedov at> wrote:
> Thanks, Viktor.

You're welcome.  One important note about the example on the Wiki.
Since OpenSSL 1.0.2, there is internal support for certificate
name checks.  You should not roll your own.

The SSL_set1_host(3) interface is present since OpenSSL 1.1.0.
In OpenSSL 1.0.2 you can use SSL_CTX_get0_param(3) and

        X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl);
        X509_VERIFY_PARAM_set1_host(vpm, "", 0);

Either of the above needs to happen before the handshake starts and
then the checks are made automatically as part of the handshake,
resulting in a certificate verification failure if the name checks

Alternatively, you can call  X509_check_host(3) after the handshake
completes.  This might also then need to happen after session resumption,
because the cached certificate validity would only cover the trust path,
and not the name checks.  But if you never resume sessions that failed
name checks previously, and never re-use sessions across different
host names (for the same IP e.g.) then you might be safe without, some
care is recommended.


More information about the openssl-users mailing list