On Sat, May 17, 2014 at 04:13:59PM +0000, Viktor Dukhovni wrote:
> If (likely when) my patch for X509_check_host() is adopted you'll want
> to specify a non-zero value for the final "flags" argument:
>
> X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
>
> I'll drop you a note when this happens. With this flag wildcards
> can only take the form "*.example.com", not "mx*.example.com" or
> "*mx.example.com". The latter are not applicable to SMTP per
> RFC 6125, the DANE draft or the upcoming MTA-to-MTA namechecks
> draft from the UTA working group.
My patch is now in the OpenSSL master (a.k.a. 1.1.0-dev) and 1.0.2
branches. Therefore you can now begin to use the
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
flag with X509_check_host() with OpenSSL 1.0.2 or greater. It may
be best to test the OpenSSL version macro as follows:
OPENSSL_VERSION_NUMBER > 0x10002002L
which only becomes true after 1.0.2-beta2 which is the last release
without the hostname check update. Alternatively, you can just check
for:
#ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
or if you only want to start 1.0.2 support with the official release
rather than beta versions:
OPENSSL_VERSION_NUMBER > 0x1000200fL
the last nibble is the beta release level, with "f" meaning not a
beta release.
--
Viktor.
