On Wed, Feb 27, 2013 at 11:13 PM, Patrick Pelletier <ppellet...@oblong.com>wrote:
> On 02/20/2013 07:26 PM, Jardel Weyrich wrote: > > There's X509_check_host for that, but I'm really not sure whether it's >> enough or not. >> > > Please correct me if I'm mistaken, but my impression is that > X509_check_host only exists in the OpenSSL trunk, but has not yet appeared > in any released version of OpenSSL. (In particular, it is not in the 1.0.1 > release series.) If I'm interpreting things correctly, I believe this is > going to be in the 1.1.0 release series. (But I have no idea when OpenSSL > plans to release 1.1.0) > It seems that you're right. The next feature release will be 1.0.2 though, but I don't see an ETA - http://www.openssl.org/news/state.html > So, I think that the hostname checking is fairly easy for us, if we target > OpenSSL 1.1.0 and up. But if we want to target OpenSSL versions currently > in the wild (1.0.1 and down), we have to do the hostname validation > ourselves. This could mean using the iSECPartners sample code: > > https://github.com/**iSECPartners/ssl-conservatory<https://github.com/iSECPartners/ssl-conservatory> > > However, the iSECPartners code doesn't handle wildcards, which means it > fails on common cases like https://ip.appspot.com/ which has a wildcard > certificate for *.appspot.com. So, I think that for full-blown wildcard > hostname validation, which is usable on the Web at large, we'd need to look > someplace like the cURL source code. > libcurl is a good candidate. The still-not-released OpenSSL function seems to support wildcard in any subdomain label. Libevent could ship a copy of it, but only use it when the host version of OpenSSL is <= 1.<something>. That would require including the proper license, I guess. Thoughts? > > I'm currently looking into all this, and trying to add hostname validation > to Catalin's sample program. I'll post again in the future when I have > some code to show. > Awesome! > > Also, some partially off-topic self-promotion: I've attempted to fill the > vacuum in OpenSSL documentation (since the sort of quandry we're having now > seems to be the norm when doing development with OpenSSL) by creating an > OpenSSL Wikibook: > > https://en.wikibooks.org/wiki/**OpenSSL<https://en.wikibooks.org/wiki/OpenSSL> > > If there are others with knowledge of OpenSSL who can contribute to the > Wikibook, I'd greatly appreciate it. Otherwise, it will probably die, > since I don't have the time (or knowledge) to write a whole book by myself, > and the Wikibooks administrators have already started deleting pages from > my book as essentially being too feeble of an attempt to be worth keeping. > > --Patrick > > Great work! I'll try to tout some hands to help. Although my OpenSSL knowledge is mostly restricted to X.509, I'll also try to get my hands dirty as soon as I can. - jw
