On Mon, Jan 26, 2015 at 03:10:57PM +0000, Viktor Dukhovni wrote:
> On Mon, Jan 26, 2015 at 01:07:54PM +0300, Serj wrote:
>
> > Thank you for answer.
> >
> > So, your recomendation is to use X509_check_host rather than code from wiki?
>
> Yes, definitely, provided of course you're linking with OpenSSL
> 1.0.2 or later.
To be precise, my recommendation is to populate the X509_VERIFY_PARAMS
with the desired hostname, and let the OpenSSL code call X509_check_host
automatically. Exactly as shown in my original reply.
This makes it easier to some day enable DANE TLSA support, because
with DANE, name checks need to be skipped for DANE-EE(3) TLSA
records, as the DNSSEC TLSA records provides the requisite name
binding instead.
Also with the X509_VERIFY_PARAM approach, name checks happen early,
and for applications that don't continue handshakes with unauthenticated
peers, terminate as early as possible.
There is an associated new X509 error code:
X509_V_ERR_HOSTNAME_MISMATCH
--
Viktor.
