Hi,
The "DNS" refers to the configuration value in your openssl.cnf file
it is the name of the "conf-value"
e.g.
subjectAltName = DNS:foo.bar.com, IP:10.11.12.13
also look at doc/openssl.txt
Greets
Christian
On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward Chan wrote:
> Hi there,
>
> I'm looking at some code for doing post connection
> checks to make sure the DNS name specified in the
> certificate matches the host the client is trying to
> connect to. The code is from Chapter 5 of "Network
> Security with OpenSSL".
>
> It looks like it first gets the subjectAltName field
> of the certificate, then tries to get the dNSName.
> However, it specifies "DNS" instead of "dNSName". Is
> this an error? Should it be "DNS" or "dNSName". And
> if I want to check for IP address, should I specify
> "iPAddress"?
>
> The code is below. The line
>
> if (!strcmp(nval->name, "DNS") && !strcmp(nval->value,
> host))
>
> looks suspicious to me.
>
>
> long post_connection_check(SSL *ssl, char *host)
> {
> X509 *cert;
> X509_NAME *subj;
> char data[256];
> int extcount;
> int ok = 0;
>
> /* Checking the return from
> SSL_get_peer_certificate here is not strictly
> * necessary. With our example programs, it is
> not possible for it to return
> * NULL. However, it is good form to check the
> return since it can return NULL
> * if the examples are modified to enable
> anonymous ciphers or for the server
> * to not require a client certificate.
> */
> if (!(cert = SSL_get_peer_certificate(ssl)) ||
> !host)
> goto err_occured;
> if ((extcount = X509_get_ext_count(cert)) > 0)
> {
> int i;
>
> for (i = 0; i < extcount; i++)
> {
> char *extstr;
> X509_EXTENSION *ext;
>
> ext = X509_get_ext(cert, i);
> extstr =
> OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
>
> if (!strcmp(extstr, "subjectAltName"))
> {
> int j;
> unsigned char *data;
> STACK_OF(CONF_VALUE) *val;
> CONF_VALUE *nval;
> X509V3_EXT_METHOD *meth;
>
> if (!(meth = X509V3_EXT_get(ext)))
> break;
> data = ext->value->data;
>
> val = meth->i2v(meth,
> meth->d2i(NULL, &data,
> ext->value->length),
> NULL);
> for (j = 0; j <
> sk_CONF_VALUE_num(val); j++)
> {
> nval = sk_CONF_VALUE_value(val,
> j);
> if (!strcmp(nval->name, "DNS") &&
> !strcmp(nval->value, host))
> {
> ok = 1;
> break;
> }
> }
> }
> if (ok)
> break;
> }
> }
>
> if (!ok && (subj = X509_get_subject_name(cert)) &&
> X509_NAME_get_text_by_NID(subj,
> NID_commonName, data, 256) > 0)
> {
> data[255] = 0;
> if (strcasecmp(data, host) != 0)
> goto err_occured;
> }
>
> X509_free(cert);
> return SSL_get_verify_result(ssl);
>
> err_occured:
> if (cert)
> X509_free(cert);
> return X509_V_ERR_APPLICATION_VERIFICATION;
> }
>
>
>
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
