On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote: > What is the best way to make hostname validation? > > 1. http://wiki.openssl.org/index.php/Hostname_validation > 2. X509_check_host that was added in OpenSSL 1.1.0. The X509_check_host() interface is also available in OpenSSL 1.0.2 released a few days ago https://www.openssl.org/docs/crypto/X509_check_host.html (the documentation should be updated to note the earlier availability). Starting with 1.0.2, you can also ask OpenSSL to automatically perform hostname checks during the SSL handshake on the application's behalf: https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html https://www.openssl.org/docs/ssl/SSL_set_verify.html Sadly, we're still lacking documentation of SSL_get0_param() which is needed for a complete SSL hostname check recipe: const char *servername; SSL *ssl; X509_VERIFY_PARAM *param; servername = "www.example.com"; ssl = SSL_new(...); param = SSL_get0_param(ssl); /* Enable automatic hostname checks */ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, servername, 0); /* Configure a non-zero callback if desired */ SSL_set_verify(ssl, SSL_VERIFY_PEER, 0); /* * Establish SSL connection, hostname should be checked * automatically test with a hostname that should not match, * the connection will fail (unless you specify a callback * that returns despite the verification failure. In that * case SSL_get_verify_status() can expose the problem after * connection completion. */ ... > I don't know does the first one support wildcards or no! Seems > to be: how does Curl_cert_hostcheck work - is the answer, but I > don't know how it works. Wildcard support is configured via the flags documented for X509_check_host(), the two most frequently useful are: X509_CHECK_FLAG_NO_WILDCARDS X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS -- Viktor.