Re: [openssl-users] Hostname validation in OpenSSL 1.1.0

2017-04-04 Thread Viktor Dukhovni 

> On Apr 4, 2017, at 5:57 PM, Hajjar, Alain (US)  
> wrote:
> 
> I am looking for confirmation regarding the hostname validation
> implementation in OpenSSL 1.1.0. Is the example code at
> https://wiki.openssl.org/index.php/Hostname_validation the correct
> way to do hostname validation with both 1.1.0 and 1.0.2? 

Looks reasonable.

> Specifically, in order for OpenSSL 1.1.0 to automatically perform
> hostname checks, does the calling application need to use both
> X509_VERIFY_PARAM_set1_host (with the expected DNS hostname) and
> SSL_set_verify (with SSL_VERIFY_PEER) as is the case for
> OpenSSL 1.0.2?

Setting the hostname causes hostname checks to happen, regardless
of the SSL verification mode.  Applications that want the SSL
handshake to be aborted on verification failure can set SSL_VERIFY_PEER.
Applications that want to be able to continue despite verification failure,
can set SSL_VERIFY_NONE, and check the results of SSL_get_verify_result()
as described in:

https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_verify.html
https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_verify.html

Postfix (for which I maintain the TLS stack) uses the SSL_VERIFY_NONE
approach, completes the handshake, and politely disconnects from the
server at the SMTP layer (sends "QUIT") when server authentication
fails.  Other applications may prefer to abort the handshake with a
suitable TLS-layer alert.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Hostname validation in OpenSSL 1.1.0

2017-04-04 Thread Hajjar, Alain (US) 
Hello,

I am looking for confirmation regarding the hostname validation
implementation in OpenSSL 1.1.0. Is the example code at
https://wiki.openssl.org/index.php/Hostname_validation the correct way to do
hostname validation with both 1.1.0 and 1.0.2?

Specifically, in order for OpenSSL 1.1.0 to automatically perform hostname
checks, does the calling application need to use both
X509_VERIFY_PARAM_set1_host (with the expected DNS hostname) and
SSL_set_verify (with SSL_VERIFY_PEER) as is the case for OpenSSL 1.0.2?

Thank you.

Alain

Alain Hajjar
mobile +1 240 330 3754
direct +1 443 884 6687

CyberPoint International
621 East Pratt Street, Suite 400

Baltimore MD 21202-3196

phone +1 410 779 6700

www.cyberpointllc.com 




If you believe you received this e-mail in error, please notify the sender
immediately, delete the e-mail from your computer and do not copy or
disclose it to anyone else.

The information in this email constitutes the proprietary information of
Cyber Point International, LLC, and should be accessed only by the
individual to whom it is addressed. The information in this email and any
attachments may not be used, copied or disclosed without the consent of
CyberPoint. CyberPoint is not responsible for any damages caused by your
unauthorized use of the materials in this email.




smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users