Hostname validation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




25.01.2015, 20:59, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> ?On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote:
>> ??What is the best way to make hostname validation?
>>
>> ??1. http://wiki.openssl.org/index.php/Hostname_validation
>> ??2. X509_check_host that was added in OpenSSL 1.1.0.
> ?The X509_check_host() interface is also available in OpenSSL 1.0.2
> ?released a few days ago
>
> ?????https://www.openssl.org/docs/crypto/X509_check_host.html
>
> ?(the documentation should be updated to note the earlier availability).
>
> ?Starting with 1.0.2, you can also ask OpenSSL to automatically
> ?perform hostname checks during the SSL handshake on the application's
> ?behalf:
>
> ?????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html
> ?????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html
> ?????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html
> ?????https://www.openssl.org/docs/ssl/SSL_set_verify.html
>
> ?Sadly, we're still lacking documentation of SSL_get0_param() which
> ?is needed for a complete SSL hostname check recipe:
>
> ?????????const char *servername;
> ?????????SSL *ssl;
> ?????????X509_VERIFY_PARAM *param;
>
> ?????????servername = "www.example.com";
> ?????????ssl = SSL_new(...);
> ?????????param = SSL_get0_param(ssl);
>
> ?????????/* Enable automatic hostname checks */
> ?????????X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
> ?????????X509_VERIFY_PARAM_set1_host(param, servername, 0);
>
> ?????????/* Configure a non-zero callback if desired */
> ?????????SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
>
> ?????????/*
> ??????????* Establish SSL connection, hostname should be checked
> ??????????* automatically test with a hostname that should not match,
> ??????????* the connection will fail (unless you specify a callback
> ??????????* that returns despite the verification failure. ?In that
> ??????????* case SSL_get_verify_status() can expose the problem after
> ??????????* connection completion.
> ??????????*/
> ??????????...
>> ??I don't know does the first one support wildcards or no! Seems
>> ??to be: how does Curl_cert_hostcheck work - is the answer, but I
>> ??don't know how it works.
> ?Wildcard support is configured via the flags documented for X509_check_host(),
> ?the two most frequently useful are:
>
> ?????????X509_CHECK_FLAG_NO_WILDCARDS
> ?????????X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
>
> ?--
> ?????????Viktor.
> ?_______________________________________________
> ?openssl-users mailing list
> ?To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
Best Regards,

Serj

25.01.2015, 20:59, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote:
>> ?What is the best way to make hostname validation?
>>
>> ?1. http://wiki.openssl.org/index.php/Hostname_validation
>> ?2. X509_check_host that was added in OpenSSL 1.1.0.
>
> The X509_check_host() interface is also available in OpenSSL 1.0.2
> released a few days ago
>
> ????https://www.openssl.org/docs/crypto/X509_check_host.html
>
> (the documentation should be updated to note the earlier availability).
>
> Starting with 1.0.2, you can also ask OpenSSL to automatically
> perform hostname checks during the SSL handshake on the application's
> behalf:
>
> ????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html
> ????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html
> ????https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html
> ????https://www.openssl.org/docs/ssl/SSL_set_verify.html
>
> Sadly, we're still lacking documentation of SSL_get0_param() which
> is needed for a complete SSL hostname check recipe:
>
> ????????const char *servername;
> ????????SSL *ssl;
> ????????X509_VERIFY_PARAM *param;
>
> ????????servername = "www.example.com";
> ????????ssl = SSL_new(...);
> ????????param = SSL_get0_param(ssl);
>
> ????????/* Enable automatic hostname checks */
> ????????X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
> ????????X509_VERIFY_PARAM_set1_host(param, servername, 0);
>
> ????????/* Configure a non-zero callback if desired */
> ????????SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
>
> ????????/*
> ?????????* Establish SSL connection, hostname should be checked
> ?????????* automatically test with a hostname that should not match,
> ?????????* the connection will fail (unless you specify a callback
> ?????????* that returns despite the verification failure. ?In that
> ?????????* case SSL_get_verify_status() can expose the problem after
> ?????????* connection completion.
> ?????????*/
> ?????????...
>> ?I don't know does the first one support wildcards or no! Seems
>> ?to be: how does Curl_cert_hostcheck work - is the answer, but I
>> ?don't know how it works.
>
> Wildcard support is configured via the flags documented for X509_check_host(),
> the two most frequently useful are:
>
> ????????X509_CHECK_FLAG_NO_WILDCARDS
> ????????X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
>
> --
> ????????Viktor.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
Best Regards,

Serj


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux