Hi,

The "DNS" refers to the configuration value in your openssl.cnf file
it is the name of the "conf-value"
e.g. 
subjectAltName = DNS:foo.bar.com, IP:10.11.12.13

also look at doc/openssl.txt

Greets

Christian


On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward Chan wrote:
> Hi there,
> 
> I'm looking at some code for doing post connection
> checks to make sure the DNS name specified in the
> certificate matches the host the client is trying to
> connect to.  The code is from Chapter 5 of "Network
> Security with OpenSSL".  
> 
> It looks like it first gets the subjectAltName field
> of the certificate, then tries to get the dNSName. 
> However, it specifies "DNS" instead of "dNSName".  Is
> this an error?  Should it be "DNS" or "dNSName".  And
> if I want to check for IP address, should I specify
> "iPAddress"?
> 
> The code is below. The line
> 
> if (!strcmp(nval->name, "DNS") && !strcmp(nval->value,
> host))
> 
> looks suspicious to me.
> 
> 
> long post_connection_check(SSL *ssl, char *host)
> {
>     X509      *cert;
>     X509_NAME *subj;
>     char      data[256];
>     int       extcount;
>     int       ok = 0;
>  
>     /* Checking the return from
> SSL_get_peer_certificate here is not strictly
>      * necessary.  With our example programs, it is
> not possible for it to return
>      * NULL.  However, it is good form to check the
> return since it can return NULL
>      * if the examples are modified to enable
> anonymous ciphers or for the server
>      * to not require a client certificate.
>      */
>     if (!(cert = SSL_get_peer_certificate(ssl)) ||
> !host)
>         goto err_occured;
>     if ((extcount = X509_get_ext_count(cert)) > 0)
>     {
>         int i;
>  
>         for (i = 0;  i < extcount;  i++)
>         {
>             char              *extstr;
>             X509_EXTENSION    *ext;
>  
>             ext = X509_get_ext(cert, i);
>             extstr =
> OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
>  
>             if (!strcmp(extstr, "subjectAltName"))
>             {
>                 int                  j;
>                 unsigned char        *data;
>                 STACK_OF(CONF_VALUE) *val;
>                 CONF_VALUE           *nval;
>                 X509V3_EXT_METHOD    *meth;
>  
>                 if (!(meth = X509V3_EXT_get(ext)))
>                     break;
>                 data = ext->value->data;
>  
>                 val = meth->i2v(meth, 
>                                 meth->d2i(NULL, &data,
> ext->value->length),
>                                 NULL);
>                 for (j = 0;  j <
> sk_CONF_VALUE_num(val);  j++)
>                 {
>                     nval = sk_CONF_VALUE_value(val,
> j);
>                     if (!strcmp(nval->name, "DNS") &&
> !strcmp(nval->value, host))
>                     {
>                         ok = 1;
>                         break;
>                     }
>                 }
>             }
>             if (ok)
>                 break;
>         }
>     }
>  
>     if (!ok && (subj = X509_get_subject_name(cert)) &&
>         X509_NAME_get_text_by_NID(subj,
> NID_commonName, data, 256) > 0)
>     {
>         data[255] = 0;
>         if (strcasecmp(data, host) != 0)
>             goto err_occured;
>     }
>  
>     X509_free(cert);
>     return SSL_get_verify_result(ssl);
>  
> err_occured:
>     if (cert)
>         X509_free(cert);
>     return X509_V_ERR_APPLICATION_VERIFICATION;
> }
> 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to