I was looking through the docs on the upcoming X509_check_host(3) and
friends (https://www.openssl.org/docs/crypto/X509_check_host.html) and
I have a few questions.
#include <openssl/x509.h>
int X509_check_host(X509 *, const unsigned char *name,
size_t namelen, unsigned int flags);
int X509_check_email(X509 *, const unsigned char *address,
size_t addresslen, unsigned int flags);
int X509_check_ip(X509 *, const unsigned char *address,
size_t addresslen, unsigned int flags);
int X509_check_ip_asc(X509 *, const char *address, unsigned int flags);
*****
For a flags of 0:
The flags argument is usually 0. It can be the bitwise OR of the flags...
What type of wildcard matching occurs with a flags of 0? Or does
wildcard matching *not* occur with a flag of 0?
I guess what I am asking: what is the default behavior. Its not clear
from the basic description.
*****
For X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS:
If set, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS suppresses support
for ``*'' as wildcard pattern in labels that have a prefix or
suffix, such as: ``www*''
or ``*www''; this only aplies to X509_check_host.
Is that the "leftmost" rule? I.e., a wildcard must be at the leftmost label?
*****
What is the purpose of allowing a leading dot for a hostname? I.e.,
why is ".example.com" allowed?
A leading dot does not appear to be a valid hostname nor a well formed
FQDN. I don't recall reading about it in the RFCs or the CA/B Forums
(RFCs 5280, 6125 or CA/B Baseline Requirements). I would expect a
certificate with it to be rejected as malformed.
*****
Is their an intersection with EV OIDs? Or is it out of scope for host
name matching? According to the CA/B EV Guide, wildcards are not
allowed in EV certificates. So I would expect a wilcarded cert to be
rejected as malformed if its an EV certificate.
*****
Would it be possible to receive the reason for a failure? For example,
I would consider a DNS name in the CN as a soft failure that I could
recover from (both the RFC and CA/B Forums have deprecated the
practice, but its still frequently encountered). But a wildcard match
with trickery, such as a DNS name of "*.com", would be a hard failure
that I would not attempt to recover from.
As another example, Java will fail a cert for overlapping DNS names in
Subject Alt Names of a certificate, like having both "*.com" and
"www.*.com" or having both "*.com" and "example.com"
So maybe something like the following, where `reason` is an optional
bitmask that is valid *if* the function fails.
int X509_check_host(X509 *, const unsigned char *name,
size_t namelen, unsigned int flags, int* reason);
Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
