Re: IXWebSocket wss c++ client cannot connect to Node.js wss server using an ip address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

My compiler doesn't like the following defines : "X509_CHECK_FLAG_NEVER_CHECK_SUBJECT" and "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS".  When I add the include file "x509v3.h", the compiler now complains about line 181 in x509v3.h, which is probably because he doesn't know what is "X509_NAME".

My compiler version is visual studio 2017 and I use OpenSSL (compiled under visual studio 2017 as well)

Should I ask this question under the dev mailing list instead?

Thank you.

Le mer. 15 févr. 2023, à 12 h 28, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> a écrit :
On Wed, Feb 15, 2023 at 09:45:01AM -0500, Pierre-Luc Boily wrote:

> I guess that you also tell me to use another library because if this
> simple thing (checking the ip address) is not well implemented, we
> cannot trust the rest of the implementation!

Actually, what disturbed me was not lack of support for IP addresses,
but:

    - The library maintainer's handwaving response to the issue
    - The fact that reportedly in-application name checks have
      not yet been removed, though a decade or so obsolete.

> So, I guess that I should do something like this instead :

Yes, with minor tweaks:

    if (isIpAddress(host))
    {
       // We are connecting to an IP address.  let OpenSSL validate the
       // IP address in SAN
       X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_connection);
       X509_VERIFY_PARAM_set1_host(param, NULL, 0);
       X509_VERIFY_PARAM_set1_ip_asc(param, host.c_str());
    }
    else
    {
       SSL_set1_host(_ssl_connection, host.c_str());
       // Both CN-ID and partial wildcards are deprecated
       // Optionally, reject all wildcards via:
       //     X509_CHECK_FLAG_NO_WILDCARDS
       // See X509_check_host(3).
       //
       SSL_set_hostflags(_ssl_connection,
           X509_CHECK_FLAG_NEVER_CHECK_SUBJECT |
           X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
    }

The hostname is presumed NUL-terminated, otherwise indeed use
X509_VERIFY_PARAM_set1_host() also for hostnames.  It would also be
appropriate to check the success/failure of the various calls, check the
documentation for details.

If (very unlikely) you want to check the certificate for BOTH a matching
name AND a matching IP address, you can set up the verification
parameters to have both a hostname and an IP addresss.

--
    Viktor.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux