Certificate subject match validation

George-Theodor Serbana theodor.serbana96 at gmail.com
Fri Mar 27 17:38:35 UTC 2020


I am writing a SSL/TLS client (using Boost.Beast but underlying it's using
OpenSSL) and although I have set on the SSL context the 'verify_peer' flag,
there is no verification to prove the server presents an X509 which
contains in the Subject Alternative Names the hostname of that server.

As this is probably the dumbest type of attack someone could do (using a
valid certificate with another domain name), I am thinking I'm doing
something wrong. But from the documentation, I saw that using "verify_peer"
should perform all the verifications...

Now if not even this simple check is being done, how about expiration of
the certificate, revocation status and other checks? Should they be
performed manually as well?

For now I am using X509_VERIFY_PARAM_set1_host with SSL_CTX_set1_param to
do this specific check.

Best regards,
Theodor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200327/90faab91/attachment.html>


More information about the openssl-users mailing list