On 02/20/2013 07:26 PM, Jardel Weyrich wrote:Please correct me if I'm mistaken, but my impression is that X509_check_host only exists in the OpenSSL trunk, but has not yet appeared in any released version of OpenSSL. Â(In particular, it is not in the 1.0.1 release series.) ÂIf I'm interpreting things correctly, I believe this is going to be in the 1.1.0 release series. Â(But I have no idea when OpenSSL plans to release 1.1.0)
There's X509_check_host for that, but I'm really not sure whether it's
enough or not.
So, I think that the hostname checking is fairly easy for us, if we target OpenSSL 1.1.0 and up. ÂBut if we want to target OpenSSL versions currently in the wild (1.0.1 and down), we have to do the hostname validation ourselves. ÂThis could mean using the iSECPartners sample code:
https://github.com/iSECPartners/ssl-conservatory
However, the iSECPartners code doesn't handle wildcards, which means it fails on common cases like https://ip.appspot.com/ which has a wildcard certificate for *.appspot.com. ÂSo, I think that for full-blown wildcard hostname validation, which is usable on the Web at large, we'd need to look someplace like the cURL source code.
I'm currently looking into all this, and trying to add hostname validation to Catalin's sample program. ÂI'll post again in the future when I have some code to show.
Also, some partially off-topic self-promotion: I've attempted to fill the vacuum in OpenSSL documentation (since the sort of quandry we're having now seems to be the norm when doing development with OpenSSL) by creating an OpenSSL Wikibook:
https://en.wikibooks.org/wiki/OpenSSL
If there are others with knowledge of OpenSSL who can contribute to the Wikibook, I'd greatly appreciate it. ÂOtherwise, it will probably die, since I don't have the time (or knowledge) to write a whole book by myself, and the Wikibooks administrators have already started deleting pages from my book as essentially being too feeble of an attempt to be worth keeping.
--Patrick