Re: [exim-dev] [Bug 1479] hostname check missing when verify…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1479] hostname check missing when verifying X509 certificate
On Sat, May 17, 2014 at 04:13:59PM +0000, Viktor Dukhovni wrote:

> If (likely when) my patch for X509_check_host() is adopted you'll want
> to specify a non-zero value for the final "flags" argument:
>
>     X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS

>
> I'll drop you a note when this happens. With this flag wildcards
> can only take the form "*.example.com", not "mx*.example.com" or
> "*mx.example.com". The latter are not applicable to SMTP per
> RFC 6125, the DANE draft or the upcoming MTA-to-MTA namechecks
> draft from the UTA working group.


My patch is now in the OpenSSL master (a.k.a. 1.1.0-dev) and 1.0.2
branches. Therefore you can now begin to use the

    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS


flag with X509_check_host() with OpenSSL 1.0.2 or greater. It may
be best to test the OpenSSL version macro as follows:

    OPENSSL_VERSION_NUMBER > 0x10002002L


which only becomes true after 1.0.2-beta2 which is the last release
without the hostname check update. Alternatively, you can just check
for:

    #ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS


or if you only want to start 1.0.2 support with the official release
rather than beta versions:

    OPENSSL_VERSION_NUMBER > 0x1000200fL


the last nibble is the beta release level, with "f" meaning not a
beta release.

-- 
    Viktor.