Hostname validation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote:

> What is the best way to make hostname validation?
> 
> 1. http://wiki.openssl.org/index.php/Hostname_validation
> 2. X509_check_host that was added in OpenSSL 1.1.0.

The X509_check_host() interface is also available in OpenSSL 1.0.2
released a few days ago

    https://www.openssl.org/docs/crypto/X509_check_host.html

(the documentation should be updated to note the earlier availability).

Starting with 1.0.2, you can also ask OpenSSL to automatically
perform hostname checks during the SSL handshake on the application's
behalf:

    https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html
    https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html
    https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html
    https://www.openssl.org/docs/ssl/SSL_set_verify.html

Sadly, we're still lacking documentation of SSL_get0_param() which
is needed for a complete SSL hostname check recipe:

	const char *servername;
	SSL *ssl;
	X509_VERIFY_PARAM *param;

	servername = "www.example.com";
	ssl = SSL_new(...);
	param = SSL_get0_param(ssl);

	/* Enable automatic hostname checks */
	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
	X509_VERIFY_PARAM_set1_host(param, servername, 0);

	/* Configure a non-zero callback if desired */
	SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);

	/*
	 * Establish SSL connection, hostname should be checked
	 * automatically test with a hostname that should not match,
	 * the connection will fail (unless you specify a callback
	 * that returns despite the verification failure.  In that
	 * case SSL_get_verify_status() can expose the problem after
	 * connection completion.
	 */
	 ...

> I don't know does the first one support wildcards or no! Seems
> to be: how does Curl_cert_hostcheck work - is the answer, but I
> don't know how it works.

Wildcard support is configured via the flags documented for X509_check_host(),
the two most frequently useful are:

	X509_CHECK_FLAG_NO_WILDCARDS
	X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS

-- 
	Viktor.


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux