Re: [openssl-users] Hostname validation

Tue, 27 Jan 2015 12:26:08 -0800 

Hi, Viktor.

27.01.2015, 20:23, "Viktor Dukhovni" <openssl-us...@dukhovni.org>:
> I would set SSL verification parameters is to obtain the parameter
> handle via SSL_get0_param() or where appropriate SSL_CTX_get0_param(),
> and use the various X509_VERIFY_PARAM_mumble() functions to tweak
> the parameter object in place.

Why are not there any X509_VERIFY_PARAM_mumble() functions in your code?
So your code is not complete?
And if so why it was already added to wiki here: 
http://wiki.openssl.org/index.php/Hostname_validation


> As I mentioned, this function should be documented, but is not yet.
> The documentation for these functions is not yet written.  The way
> Yes, these need (more) documentation.

That's why maybe it is better to use X509_check_host() in "post conection 
checks" now?

It's strangely, why I read in documentaion:
----------------------------------------------------------------------------------
Applications are strongly advised to use this interface in preference to 
explicitly calling X509_check_host(3), hostname checks are out of scope with 
the DANE-EE(3) certificate usage, and the internal check will be suppressed as 
appropriate when DANE support is added to OpenSSL.
and no any documentation on how to set properly params for SSL or CTX!

NOTES
Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than 
explicitly calling X509_check_host(3). Host name checks are out of scope with 
the DANE-EE(3) certificate usage, and the internal checks will be suppressed as 
appropriate when DANE support is added to OpenSSL.
----------------------------------------------------------------------------------
and no any documentation on how to set properly params for SSL or CTX!


Maybe this code is right, while there is no full documentation yet:

  char servername[]="www.openssl.org\x0";
  X509_VERIFY_PARAM *param;
  param = X509_VERIFY_PARAM_new();

  //enable automatic hostname checks 
  X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
  X509_VERIFY_PARAM_set1_host(param, servername,0);
  SSL_CTX_set1_param(ctx, param); //is right if combined by a bitwise 'OR' 
operation
  
  //free param
  X509_VERIFY_PARAM_free(param);


--
Best Regards,

Serj
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to