How does a client get the server's SAN/DNS strings

Viktor Dukhovni openssl-users at
Sat Apr 16 21:09:22 UTC 2022

On Sat, Apr 16, 2022 at 01:18:57PM -0700, Hal Murray wrote:

> I can get the subject and issuer with
>   X509_get_subject_name and X509_get_issuer_name
> I'm looking for something similar to get the SAN/DNS strings used to verify 
> that this certificate is valid for the hostname provided via SSL_set1_host
> Any API will be slightly complicated since there may be more than one SAN/DNS 
> string.

Can you explain *why* you want the list of DNS names?  What's wrong with
letting OpenSSL doing the validation for you?  Is this just for logging,
or do you intend to supplant the built-in name checks?


More information about the openssl-users mailing list