> On Mar 17, 2021, at 1:00 PM, Eliot Lear <[email protected]>
> wrote:
>
>> See X509_check_host(3). It's behaviour is customisable via the
>> below flags:
>>
>> X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,
>> X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
>> X509_CHECK_FLAG_NO_WILDCARDS,
>> X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
>> X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS.
>> X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS.
>>
>> So what Rich is proposing amounts to changing the default flag
>> setting from zero to X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, and
>> then applications that want the legacy behaviour can just clear
>> that flag bit if they so desire.
>
> Ok, that makes a whole lot of sense.
For the record, there's also X509_VERIFY_PARAM_set_hostflags(3),
which in combination with X509_VERIFY_PARAM_set1_host(3) and
X509_VERIFY_PARAM_add1_host(3) performs the hostname checks
automatically as part of the overall certificate chain verification
process. For TLS applications, there are also:
int SSL_set1_host(SSL *s, const char *hostname);
int SSL_add1_host(SSL *s, const char *hostname);
void SSL_set_hostflags(SSL *s, unsigned int flags);
which provide a simpler interface than having to dig down to the
underlying X509_STORE and its verification parameter structure.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
