I have a question regarding the flag "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS".
In the book of Ivan Ristic (Bullet Proof TLS and PKI), chapter 12, section Creating Certificates for Multiple Hostnames, the author uses a wildcard in the SAN (*.feistyduck.com).
1. www.feistyduck.com ?
4. feistyduck.com ?
Le mer. 15 févr. 2023, à 12 h 28, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> a écrit :
On Wed, Feb 15, 2023 at 09:45:01AM -0500, Pierre-Luc Boily wrote:
> I guess that you also tell me to use another library because if this
> simple thing (checking the ip address) is not well implemented, we
> cannot trust the rest of the implementation!
Actually, what disturbed me was not lack of support for IP addresses,
- The library maintainer's handwaving response to the issue
- The fact that reportedly in-application name checks have
not yet been removed, though a decade or so obsolete.
> So, I guess that I should do something like this instead :
Yes, with minor tweaks:
// We are connecting to an IP address. let OpenSSL validate the
// IP address in SAN
X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_connection);
X509_VERIFY_PARAM_set1_host(param, NULL, 0);
// Both CN-ID and partial wildcards are deprecated
// Optionally, reject all wildcards via:
// See X509_check_host(3).
The hostname is presumed NUL-terminated, otherwise indeed use
X509_VERIFY_PARAM_set1_host() also for hostnames. It would also be
appropriate to check the success/failure of the various calls, check the
documentation for details.
If (very unlikely) you want to check the certificate for BOTH a matching
name AND a matching IP address, you can set up the verification
parameters to have both a hostname and an IP addresss.