Commit graph

10 commits

Author SHA1 Message Date
David Woodhouse
5d786e9e2d RT3998: fix X509_check_host.pod release to 1.0.2
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 2bfbeb2645)
2015-08-08 18:14:31 -04:00
Emilia Kasper
95929797a0 Fix hostname validation in the command-line tool to honour negative return values.
Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion
and result in a negative return value, which the "x509 -checkhost" command-line option
incorrectly interpreted as success.

Also update X509_check_host docs to reflect reality.

Thanks to Sean Burford (Google) for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 0923e7df9e)
2015-02-10 15:36:03 +01:00
Viktor Dukhovni
3ebcecf5c4 Improve X509_check_host() documentation.
Based on feedback from Jeffrey Walton.

(cherry picked from commit b73ac02735)
2014-07-07 20:35:49 +10:00
Viktor Dukhovni
e83c913723 Update API to use (char *) for email addresses and hostnames
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().

(cherry picked from commit 297c67fcd8)
2014-07-07 19:20:34 +10:00
Viktor Dukhovni
55fe56837a Set optional peername when X509_check_host() succeeds.
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.

(cherry picked from commit ced3d9158a)
2014-07-07 19:20:34 +10:00
Viktor Dukhovni
449d864515 Multiple verifier reference identities.
Implemented as STACK_OF(OPENSSL_STRING).

(cherry picked from commit 8abffa4a73)
2014-07-07 19:19:13 +10:00
Viktor Dukhovni
609daababb More complete X509_check_host documentation.
(cherry picked from commit d241b80409)
2014-06-25 18:21:35 +01:00
Viktor Dukhovni
3cc8a3f234 Client-side namecheck wildcards.
A client reference identity of ".example.com" matches a server
certificate presented identity that is any sub-domain of "example.com"
(e.g. "www.sub.example.com).

With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches
only direct child sub-domains (e.g. "www.sub.example.com").
(cherry picked from commit e52c52f10bb8e34aaf8f28f3e5b56939e8f6b357)
2014-06-12 23:19:24 +01:00
Viktor Dukhovni
a2219f6be3 Fixes to host checking.
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
(cherry picked from commit 397a8e747d)
2014-05-21 11:32:19 +01:00
Dr. Stephen Henson
12c56e4888 Sync crypto documentation with master branch. 2014-03-03 15:12:17 +00:00