Hi, The "DNS" refers to the configuration value in your openssl.cnf file it is the name of the "conf-value" e.g. subjectAltName = DNS:foo.bar.com, IP:10.11.12.13
also look at doc/openssl.txt Greets Christian On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward Chan wrote: > Hi there, > > I'm looking at some code for doing post connection > checks to make sure the DNS name specified in the > certificate matches the host the client is trying to > connect to. The code is from Chapter 5 of "Network > Security with OpenSSL". > > It looks like it first gets the subjectAltName field > of the certificate, then tries to get the dNSName. > However, it specifies "DNS" instead of "dNSName". Is > this an error? Should it be "DNS" or "dNSName". And > if I want to check for IP address, should I specify > "iPAddress"? > > The code is below. The line > > if (!strcmp(nval->name, "DNS") && !strcmp(nval->value, > host)) > > looks suspicious to me. > > > long post_connection_check(SSL *ssl, char *host) > { > X509 *cert; > X509_NAME *subj; > char data[256]; > int extcount; > int ok = 0; > > /* Checking the return from > SSL_get_peer_certificate here is not strictly > * necessary. With our example programs, it is > not possible for it to return > * NULL. However, it is good form to check the > return since it can return NULL > * if the examples are modified to enable > anonymous ciphers or for the server > * to not require a client certificate. > */ > if (!(cert = SSL_get_peer_certificate(ssl)) || > !host) > goto err_occured; > if ((extcount = X509_get_ext_count(cert)) > 0) > { > int i; > > for (i = 0; i < extcount; i++) > { > char *extstr; > X509_EXTENSION *ext; > > ext = X509_get_ext(cert, i); > extstr = > OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); > > if (!strcmp(extstr, "subjectAltName")) > { > int j; > unsigned char *data; > STACK_OF(CONF_VALUE) *val; > CONF_VALUE *nval; > X509V3_EXT_METHOD *meth; > > if (!(meth = X509V3_EXT_get(ext))) > break; > data = ext->value->data; > > val = meth->i2v(meth, > meth->d2i(NULL, &data, > ext->value->length), > NULL); > for (j = 0; j < > sk_CONF_VALUE_num(val); j++) > { > nval = sk_CONF_VALUE_value(val, > j); > if (!strcmp(nval->name, "DNS") && > !strcmp(nval->value, host)) > { > ok = 1; > break; > } > } > } > if (ok) > break; > } > } > > if (!ok && (subj = X509_get_subject_name(cert)) && > X509_NAME_get_text_by_NID(subj, > NID_commonName, data, 256) > 0) > { > data[255] = 0; > if (strcasecmp(data, host) != 0) > goto err_occured; > } > > X509_free(cert); > return SSL_get_verify_result(ssl); > > err_occured: > if (cert) > X509_free(cert); > return X509_V_ERR_APPLICATION_VERIFICATION; > } > > > > __________________________________________________ > Do you Yahoo!? > Y! Web Hosting - Let the expert host your web site > http://webhosting.yahoo.com/ > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]