Yikes, thanks for the heads up. When you say not
portable, do you mean with future versions of openssl,
or not portable across platforms?
Can you point me to some good examples of how to use
those X509 API's to do a post connection check?
Thanks,
Ed
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Thu, Oct 24, 2002, Edward Chan wrote:
>
> > Hi there,
> >
> > I'm looking at some code for doing post connection
> > checks to make sure the DNS name specified in the
> > certificate matches the host the client is trying
> to
> > connect to. The code is from Chapter 5 of
> "Network
> > Security with OpenSSL".
> >
> > It looks like it first gets the subjectAltName
> field
> > of the certificate, then tries to get the dNSName.
>
> > However, it specifies "DNS" instead of "dNSName".
> Is
> > this an error? Should it be "DNS" or "dNSName".
> And
> > if I want to check for IP address, should I
> specify
> > "iPAddress"?
> >
> > The code is below. The line
> >
> > if (!strcmp(nval->name, "DNS") &&
> !strcmp(nval->value,
> > host))
> >
> > looks suspicious to me.
> >
> >
> > long post_connection_check(SSL *ssl, char *host)
> > {
> > X509 *cert;
> > X509_NAME *subj;
> > char data[256];
> > int extcount;
> > int ok = 0;
> >
> > /* Checking the return from
> > SSL_get_peer_certificate here is not strictly
> > * necessary. With our example programs, it
> is
> > not possible for it to return
> > * NULL. However, it is good form to check
> the
> > return since it can return NULL
> > * if the examples are modified to enable
> > anonymous ciphers or for the server
> > * to not require a client certificate.
> > */
> > if (!(cert = SSL_get_peer_certificate(ssl)) ||
> > !host)
> > goto err_occured;
> > if ((extcount = X509_get_ext_count(cert)) > 0)
> > {
> > int i;
> >
> > for (i = 0; i < extcount; i++)
> > {
> > char *extstr;
> > X509_EXTENSION *ext;
> >
> > ext = X509_get_ext(cert, i);
> > extstr =
> >
>
OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
> >
> > if (!strcmp(extstr, "subjectAltName"))
> > {
> > int j;
> > unsigned char *data;
> > STACK_OF(CONF_VALUE) *val;
> > CONF_VALUE *nval;
> > X509V3_EXT_METHOD *meth;
> >
> > if (!(meth = X509V3_EXT_get(ext)))
> > break;
> > data = ext->value->data;
> >
> > val = meth->i2v(meth,
> > meth->d2i(NULL,
> &data,
> > ext->value->length),
> > NULL);
> > for (j = 0; j <
> > sk_CONF_VALUE_num(val); j++)
> > {
> > nval =
> sk_CONF_VALUE_value(val,
> > j);
> > if (!strcmp(nval->name, "DNS")
> &&
> > !strcmp(nval->value, host))
> > {
> > ok = 1;
> > break;
> > }
> > }
> > }
> > if (ok)
> > break;
> > }
> > }
> >
> > if (!ok && (subj =
> X509_get_subject_name(cert)) &&
> > X509_NAME_get_text_by_NID(subj,
> > NID_commonName, data, 256) > 0)
> > {
> > data[255] = 0;
> > if (strcasecmp(data, host) != 0)
> > goto err_occured;
> > }
> >
> > X509_free(cert);
> > return SSL_get_verify_result(ssl);
> >
> > err_occured:
> > if (cert)
> > X509_free(cert);
> > return X509_V_ERR_APPLICATION_VERIFICATION;
> > }
> >
> >
> One additional comment. I'd advise against using the
> technique above: it is
> non portable and not guaranteed to work on future
> versions of OpenSSL: in
> fact it wont work on 0.9.7.
>
> Steve.
> --
> Dr. Stephen Henson [EMAIL PROTECTED]
>
> OpenSSL Project
> http://www.openssl.org/~steve/
>
______________________________________________________________________
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
