Geek asks and answers

Certificate Domain Validation in OpenSSL

I need to verify the X509 certificate domain using OpenSSL C-land.

I understand that the library does not do this for me and that I should implement something like the following algorithm:

  • If the dnsName field of the subjectAlternativeName extension is present, set this value name.
  • Otherwise, set the nameobject in the CN field.
  • Compare namewith the requested host name, allowing each asterisk to match [A-Za-z0-9 _] +, but not "dot" (.).

It seems to me that this requires a lot of code, but I did not find it.

Can anyone find an example of this? Or, alternatively, test the performance of my algorithm?

EDIT: This is what I came up with: https://gist.github.com/2821083 . It seems really odd that OpenSSL would leave it until the code is called.

+5
source share
2 answers

You are pretty much in place, though beware of the topic Alternate Names and Raw IPs and FQDNs. You might want to steal

BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)

and related friends from http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c and the called party in ssl_engine_init.c (which, by the way, is on the server side) for all parameters .

How do you act on the openssl callback - also consider date and time and chain if you haven't already specified this in CTX.

Dw.

+5
source

, OpenSSL .

, , , .

OpenSSL 1.1.0 ( HEAD ( SEPT 2013)). -verify_name, apps.c -verify_hostname. s_client , , .

dnsName subjectAlternativeName , .

(SAN), .

CN .

, .

, [A-Za-z0-9 _] +, "" (.).

. , gTLD ccTLD. , , gTLD *.com. , , ;)

ccTLDs *.eu, *.us இலங்கை (nic.lk). 5000 , Mozilla http://publicsuffix.org/. https://mxr.mozilla.org/mozilla-central/source/netwerk/dns/effective_tld_names.dat?raw=1.

, , , .

Curl. , Curl .

, . , , CA/Browser. :

, , IP-, (CN), (SAN).

, IP- (RFC 1918) (EV); EV .

+2

More articles:


All Articles