On Tue, Feb 14, 2023 at 08:58:44AM -0600, Mark Hack wrote:
> I went and looked at the IX code and this, as we all suspected, has
> nothing to do with OpenSSL.
>
> Here is the offending code in ixwebsocket/IXSocketOpenSSL.cpp which
> ignores the IP addresses and only checks the DNS name entries:
OpenSSL, since the 1.0.2 release, has built-in name checks. There's
no reason for applications or libraries to implement their own. Of
course the application still has to decide what reference identifiers
to configure (e.g., SSL_set1_host vs. X509_VERIFY_PARAM_set1_ip_asc).
The library in question is not sufficiently actively maintained to move
on from deprecated anti-patterns. It should not be used.
--
Viktor.
