On Fri, Jun 04, 2010 at 01:19:52AM +0100, David Woodhouse wrote:
> On Thu, 2010-06-03 at 13:47 -0400, Victor Duchovni wrote:
> > Generally, OpenSSL does not verify peer names, only the certificate
> > trust chain, and peername checks are left up to applications.
>
> Which is a shame... I'm far too stupid to be writing code like
> http://git.infradead.org/users/dwmw2/openconnect.git?a=blob;f=ssl.c;hp=v2.25#l436
> for myself, and I would much rather have used a library function ;)
The problem is that only the application knows which names are those of
the peer it tried to reach. The OpenSSL library is not an HTTPS client,
or an SMTP STARTTLS client, ... Which is not too say that peername
extraction is made as easy as it could be, but ultimately some of the
magic has to happen in application (or application library) code.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
