> On Apr 4, 2017, at 5:57 PM, Hajjar, Alain (US) <ahajjar@xxxxxxxxxxxxxxxxx> wrote: > > I am looking for confirmation regarding the hostname validation > implementation in OpenSSL 1.1.0. Is the example code at > https://wiki.openssl.org/index.php/Hostname_validation the correct > way to do hostname validation with both 1.1.0 and 1.0.2? Looks reasonable. > Specifically, in order for OpenSSL 1.1.0 to automatically perform > hostname checks, does the calling application need to use both > X509_VERIFY_PARAM_set1_host (with the expected DNS hostname) and > SSL_set_verify (with SSL_VERIFY_PEER) as is the case for > OpenSSL 1.0.2? Setting the hostname causes hostname checks to happen, regardless of the SSL verification mode. Applications that want the SSL handshake to be aborted on verification failure can set SSL_VERIFY_PEER. Applications that want to be able to continue despite verification failure, can set SSL_VERIFY_NONE, and check the results of SSL_get_verify_result() as described in: https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_verify.html https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_verify.html Postfix (for which I maintain the TLS stack) uses the SSL_VERIFY_NONE approach, completes the handshake, and politely disconnects from the server at the SMTP layer (sends "QUIT<CRLF>") when server authentication fails. Other applications may prefer to abort the handshake with a suitable TLS-layer alert. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
