Quantcast

Hostname validation in OpenSSL 1.1.0

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Hostname validation in OpenSSL 1.1.0

Hajjar, Alain (US)
Hello,

I am looking for confirmation regarding the hostname validation implementation in OpenSSL 1.1.0. Is the example code at https://wiki.openssl.org/index.php/Hostname_validation the correct way to do hostname validation with both 1.1.0 and 1.0.2? 

Specifically, in order for OpenSSL 1.1.0 to automatically perform hostname checks, does the calling application need to use both X509_VERIFY_PARAM_set1_host (with the expected DNS hostname) and SSL_set_verify (with SSL_VERIFY_PEER) as is the case for OpenSSL 1.0.2?

Thank you.

Alain

Alain Hajjar
mobile +1 240 330 3754
direct +1 443 884 6687

CyberPoint International

621 East Pratt Street, Suite 400

Baltimore MD 21202-3196

phone +1 410 779 6700

www.cyberpointllc.com



If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else.

The information in this email constitutes the proprietary information of Cyber Point International, LLC, and should be accessed only by the individual to whom it is addressed. The information in this email and any attachments may not be used, copied or disclosed without the consent of CyberPoint. CyberPoint is not responsible for any damages caused by your unauthorized use of the materials in this email.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hostname validation in OpenSSL 1.1.0

Viktor Dukhovni

> On Apr 4, 2017, at 5:57 PM, Hajjar, Alain (US) <[hidden email]> wrote:
>
> I am looking for confirmation regarding the hostname validation
> implementation in OpenSSL 1.1.0. Is the example code at
> https://wiki.openssl.org/index.php/Hostname_validation the correct
> way to do hostname validation with both 1.1.0 and 1.0.2?

Looks reasonable.

> Specifically, in order for OpenSSL 1.1.0 to automatically perform
> hostname checks, does the calling application need to use both
> X509_VERIFY_PARAM_set1_host (with the expected DNS hostname) and
> SSL_set_verify (with SSL_VERIFY_PEER) as is the case for
> OpenSSL 1.0.2?

Setting the hostname causes hostname checks to happen, regardless
of the SSL verification mode.  Applications that want the SSL
handshake to be aborted on verification failure can set SSL_VERIFY_PEER.
Applications that want to be able to continue despite verification failure,
can set SSL_VERIFY_NONE, and check the results of SSL_get_verify_result()
as described in:

    https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_verify.html
    https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_verify.html

Postfix (for which I maintain the TLS stack) uses the SSL_VERIFY_NONE
approach, completes the handshake, and politely disconnects from the
server at the SMTP layer (sends "QUIT<CRLF>") when server authentication
fails.  Other applications may prefer to abort the handshake with a
suitable TLS-layer alert.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...