RE: How does a client get the server's SAN/DNS strings
Really impressed. I have a lot to learn from that. :-) Thanks again for the link. Much appreciated. Michel. -Message d'origine- De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de Viktor Dukhovni Envoyé : dimanche 17 avril 2022 18:17 À : openssl-users@openssl.org Objet : Re: How does a client get the server's SAN/DNS strings > On 17 Apr 2022, at 11:29 am, Michel wrote: > > What a beautiful source code ! > If only all software could be written like this ! The Postfix project aims for code quality, security and backwards compatibility over hastily deployed shiny new features. You'll find many examples of careful/correct use of OpenSSL in: https://github.com/vdukhovni/postfix/tree/master/postfix/src/tls The main "limitation" to keep in mind is that the Postfix concurrency model is multi-process no multi-thread. So issues related to thread-safety don't arise and are not addressed. -- Viktor.
Re: How does a client get the server's SAN/DNS strings
> On 17 Apr 2022, at 11:29 am, Michel wrote: > > What a beautiful source code ! > If only all software could be written like this ! The Postfix project aims for code quality, security and backwards compatibility over hastily deployed shiny new features. You'll find many examples of careful/correct use of OpenSSL in: https://github.com/vdukhovni/postfix/tree/master/postfix/src/tls The main "limitation" to keep in mind is that the Postfix concurrency model is multi-process no multi-thread. So issues related to thread-safety don't arise and are not addressed. -- Viktor.
RE: How does a client get the server's SAN/DNS strings
Waouh, waouh, waouh !!! What a beautiful source code ! If only all software could be written like this ! Thanks for the example Viktor. > https://github.com/vdukhovni/postfix/blob/postfix-3.5/postfix/src/tls/tls_cl ient.c#L756-L794 -- Viktor.
Re: How does a client get the server's SAN/DNS strings
On Sat, Apr 16, 2022 at 03:02:16PM -0700, Hal Murray wrote: > openssl-us...@dukhovni.org said: > > Can you explain *why* you want the list of DNS names? > > Is this just for logging.. > > Yes, just for logging. https://github.com/vdukhovni/postfix/blob/postfix-3.5/postfix/src/tls/tls_client.c#L756-L794 -- Viktor.
RE: How does a client get the server's SAN/DNS strings
My quick answer : int iPos = X509_get_ext_by_NID( pCX509, NID_subject_alt_name, -1 ); if( iPos < 0 ) ...; X509_EXTENSION* pE = X509_get_ext(pCX509, iPos ); pGNames = (GENERAL_NAMES*)X509V3_EXT_d2i( pE ); // (stack of GENERAL_NAME) for( ;; ) pGName = sk_GENERAL_NAME_value( pNames, i ); switch( pGName->type ) { case GEN_EMAIL: case GEN_URI: case GEN_DNS: case GEN_RID: case GEN_IPADD: case GEN_DIRNAME: ... } Look at crypto\X509\v3_genn.c May be there is something new, more straightforward. Hope it helps, it is very late in the night here. Michel. -Message d'origine- De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de Hal Murray Envoyé : dimanche 17 avril 2022 00:02 À : openssl-users@openssl.org Objet : Re: How does a client get the server's SAN/DNS strings openssl-us...@dukhovni.org said: > Can you explain *why* you want the list of DNS names? > Is this just for logging.. Yes, just for logging. -- These are my opinions. I hate spam.
Re: How does a client get the server's SAN/DNS strings
openssl-us...@dukhovni.org said: > Can you explain *why* you want the list of DNS names? > Is this just for logging.. Yes, just for logging. -- These are my opinions. I hate spam.
Re: How does a client get the server's SAN/DNS strings
On Sat, Apr 16, 2022 at 01:18:57PM -0700, Hal Murray wrote: > I can get the subject and issuer with > X509_get_subject_name and X509_get_issuer_name > > I'm looking for something similar to get the SAN/DNS strings used to verify > that this certificate is valid for the hostname provided via SSL_set1_host > > Any API will be slightly complicated since there may be more than one SAN/DNS > string. Can you explain *why* you want the list of DNS names? What's wrong with letting OpenSSL doing the validation for you? Is this just for logging, or do you intend to supplant the built-in name checks? -- Viktor.
RE: How does a client get the server's SAN/DNS strings
Hi Hal, Might be simpler to use the 'X509_VERIFY_PARAM...' interface. Did you see : https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set1_host.html Hope it helps, Regards, Michel. -Message d'origine- De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de Hal Murray Envoyé : samedi 16 avril 2022 22:19 À : openssl-users@openssl.org Objet : How does a client get the server's SAN/DNS strings I can get the subject and issuer with X509_get_subject_name and X509_get_issuer_name I'm looking for something similar to get the SAN/DNS strings used to verify that this certificate is valid for the hostname provided via SSL_set1_host Any API will be slightly complicated since there may be more than one SAN/DNS string. -- These are my opinions. I hate spam.
How does a client get the server's SAN/DNS strings
I can get the subject and issuer with X509_get_subject_name and X509_get_issuer_name I'm looking for something similar to get the SAN/DNS strings used to verify that this certificate is valid for the hostname provided via SSL_set1_host Any API will be slightly complicated since there may be more than one SAN/DNS string. -- These are my opinions. I hate spam.