25.01.2015, 20:59, "Viktor Dukhovni" <openssl-users at dukhovni.org>: > ?On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote: >> ??What is the best way to make hostname validation? >> >> ??1. http://wiki.openssl.org/index.php/Hostname_validation >> ??2. X509_check_host that was added in OpenSSL 1.1.0. > ?The X509_check_host() interface is also available in OpenSSL 1.0.2 > ?released a few days ago > > ?????https://www.openssl.org/docs/crypto/X509_check_host.html > > ?(the documentation should be updated to note the earlier availability). > > ?Starting with 1.0.2, you can also ask OpenSSL to automatically > ?perform hostname checks during the SSL handshake on the application's > ?behalf: > > ?????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html > ?????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html > ?????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html > ?????https://www.openssl.org/docs/ssl/SSL_set_verify.html > > ?Sadly, we're still lacking documentation of SSL_get0_param() which > ?is needed for a complete SSL hostname check recipe: > > ?????????const char *servername; > ?????????SSL *ssl; > ?????????X509_VERIFY_PARAM *param; > > ?????????servername = "www.example.com"; > ?????????ssl = SSL_new(...); > ?????????param = SSL_get0_param(ssl); > > ?????????/* Enable automatic hostname checks */ > ?????????X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); > ?????????X509_VERIFY_PARAM_set1_host(param, servername, 0); > > ?????????/* Configure a non-zero callback if desired */ > ?????????SSL_set_verify(ssl, SSL_VERIFY_PEER, 0); > > ?????????/* > ??????????* Establish SSL connection, hostname should be checked > ??????????* automatically test with a hostname that should not match, > ??????????* the connection will fail (unless you specify a callback > ??????????* that returns despite the verification failure. ?In that > ??????????* case SSL_get_verify_status() can expose the problem after > ??????????* connection completion. > ??????????*/ > ??????????... >> ??I don't know does the first one support wildcards or no! Seems >> ??to be: how does Curl_cert_hostcheck work - is the answer, but I >> ??don't know how it works. > ?Wildcard support is configured via the flags documented for X509_check_host(), > ?the two most frequently useful are: > > ?????????X509_CHECK_FLAG_NO_WILDCARDS > ?????????X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS > > ?-- > ?????????Viktor. > ?_______________________________________________ > ?openssl-users mailing list > ?To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Best Regards, Serj 25.01.2015, 20:59, "Viktor Dukhovni" <openssl-users at dukhovni.org>: > On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote: >> ?What is the best way to make hostname validation? >> >> ?1. http://wiki.openssl.org/index.php/Hostname_validation >> ?2. X509_check_host that was added in OpenSSL 1.1.0. > > The X509_check_host() interface is also available in OpenSSL 1.0.2 > released a few days ago > > ????https://www.openssl.org/docs/crypto/X509_check_host.html > > (the documentation should be updated to note the earlier availability). > > Starting with 1.0.2, you can also ask OpenSSL to automatically > perform hostname checks during the SSL handshake on the application's > behalf: > > ????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html > ????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html > ????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html > ????https://www.openssl.org/docs/ssl/SSL_set_verify.html > > Sadly, we're still lacking documentation of SSL_get0_param() which > is needed for a complete SSL hostname check recipe: > > ????????const char *servername; > ????????SSL *ssl; > ????????X509_VERIFY_PARAM *param; > > ????????servername = "www.example.com"; > ????????ssl = SSL_new(...); > ????????param = SSL_get0_param(ssl); > > ????????/* Enable automatic hostname checks */ > ????????X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); > ????????X509_VERIFY_PARAM_set1_host(param, servername, 0); > > ????????/* Configure a non-zero callback if desired */ > ????????SSL_set_verify(ssl, SSL_VERIFY_PEER, 0); > > ????????/* > ?????????* Establish SSL connection, hostname should be checked > ?????????* automatically test with a hostname that should not match, > ?????????* the connection will fail (unless you specify a callback > ?????????* that returns despite the verification failure. ?In that > ?????????* case SSL_get_verify_status() can expose the problem after > ?????????* connection completion. > ?????????*/ > ?????????... >> ?I don't know does the first one support wildcards or no! Seems >> ?to be: how does Curl_cert_hostcheck work - is the answer, but I >> ?don't know how it works. > > Wildcard support is configured via the flags documented for X509_check_host(), > the two most frequently useful are: > > ????????X509_CHECK_FLAG_NO_WILDCARDS > ????????X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS > > -- > ????????Viktor. > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Best Regards, Serj
