Certificate subject match validation
theodor.serbana96 at gmail.com
Sun Mar 29 10:00:03 UTC 2020
Yes, indeed I don't want to take into account the CN, only the SANs. Thanks
for the extra flag and all the clarifications!
> > > > For now I am using X509_VERIFY_PARAM_set1_host with
> SSL_CTX_set1_param to
> > > > do this specific check.
> > >
> > > That's the slightly less convenient legacy API from OpenSSL 1.0.2.
> > > In 1.1.0 and later, you can use SSL_set1_host() (and in some
> > > cases also SSL_add1_host()).
> > >
> > > See the SSL_set1_host(3) manpage for details.
> > Indeed I re-read the docs and it says that users should not assume that
> > hostnames are validated by default without explicitly calling the API, I
> > must've missed that bit and thank you for letting me know. I will shift
> > towards using the newer SSL_set1_host together with some flags (I don't
> > want any wildcards).
> If your needs are sufficiently narrow to rule out connecting to sites
> that use wildcard certificates, perhaps they're also narrow enough to
> rule out sites that don't have subjectAltNames, in which case the
> flags could be:
> So you'll call either of (here a NULL callback, set a non-null callback
> if appropriate):
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); /* Just once */
> SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); /* Per connection
> followed by (per connection):
> SSL_set1_host(ssl, "www.example.org");
> SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_WILDCARDS
> | X509_CHECK_FLAG_NEVER_CHECK_SUBJECT);
> which also insists on a DNS subject altname (the preferred way to
> authenticate DNS names), and never looks at any CN field in the subject
> > Now just to be extra safe I'm still asking: will the VERIFY_PEER option
> > together with SSL_set1_host instruct OpenSSL to perform all possible
> > on the certificate presented by the server such that no security breach
> > remains at this level? Is there anything else that I should call or
> > manually?
> No, the above is enough.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users