Re: Hostname validation in OpenSSL 1.1.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Apr 4, 2017, at 5:57 PM, Hajjar, Alain (US) <ahajjar@xxxxxxxxxxxxxxxxx> wrote:
> 
> I am looking for confirmation regarding the hostname validation
> implementation in OpenSSL 1.1.0. Is the example code at
> https://wiki.openssl.org/index.php/Hostname_validation the correct
> way to do hostname validation with both 1.1.0 and 1.0.2? 

Looks reasonable.

> Specifically, in order for OpenSSL 1.1.0 to automatically perform
> hostname checks, does the calling application need to use both
> X509_VERIFY_PARAM_set1_host (with the expected DNS hostname) and
> SSL_set_verify (with SSL_VERIFY_PEER) as is the case for
> OpenSSL 1.0.2?

Setting the hostname causes hostname checks to happen, regardless
of the SSL verification mode.  Applications that want the SSL
handshake to be aborted on verification failure can set SSL_VERIFY_PEER.
Applications that want to be able to continue despite verification failure,
can set SSL_VERIFY_NONE, and check the results of SSL_get_verify_result()
as described in:

    https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_verify.html
    https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_verify.html

Postfix (for which I maintain the TLS stack) uses the SSL_VERIFY_NONE
approach, completes the handshake, and politely disconnects from the
server at the SMTP layer (sends "QUIT<CRLF>") when server authentication
fails.  Other applications may prefer to abort the handshake with a
suitable TLS-layer alert.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux