From 3ebcecf5c459772c04c6fd4c260ef0a6090532b2 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Mon, 7 Jul 2014 20:34:06 +1000 Subject: [PATCH] Improve X509_check_host() documentation. Based on feedback from Jeffrey Walton. (cherry picked from commit b73ac027357da29d9e393f24cd224999c94028d1) --- doc/crypto/X509_check_host.pod | 67 ++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 28 deletions(-) diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod index 56ea38de2f..f8b530df9b 100644 --- a/doc/crypto/X509_check_host.pod +++ b/doc/crypto/X509_check_host.pod @@ -18,38 +18,41 @@ X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc - X.509 cert =head1 DESCRIPTION -The certificate matching functions are intended to be called to check -if a certificate matches a given host name, email address, or IP -address. The validity of the certificate and its trust level has to -be checked by other means. - -X509_check_host() checks if the certificate matches the specified -host name, which must be encoded in the preferred name syntax -described in section 3.5 of RFC 1034. Per section 6.4.2 of RFC 6125, -B values representing international domain names must be given -in A-label form. The B argument must be the number of -characters in the name string or zero in which case the length is -calculated with strlen(name). When B starts with a dot (e.g -".example.com"), it will be matched by a certificate valid for any -sub-domain of B, (see also B -below). When the certificate is matched and B is not -NULL a pointer to a copy of the matching hostname or CommonName -from the peer certificate is stored at the address passed in -B. The application is responsible for freeing the peername -via OPENSSL_free() when it is no longer needed. Applications are -advised to use X509_VERIFY_PARAM_set1_host() in preference to -explicitly calling L, hostname checks are out -of scope with the DANE-EE(3) certificate usage, and the internal -check will be suppressed as appropriate when DANE support is added -to OpenSSL. +The certificate matching functions are used to check whether a +certificate matches a given host name, email address, or IP address. +The validity of the certificate and its trust level has to be checked by +other means. + +X509_check_host() checks if the certificate Subject Alternative +Name (SAN) or Subject CommonName (CN) matches the specified host +name, which must be encoded in the preferred name syntax described +in section 3.5 of RFC 1034. By default, wildcards are supported +and they match only in the left-most label; but they may match +part of that label with an explicit prefix or suffix. For example, +by default, the host B "www.example.com" would match a +certificate with a SAN or CN value of "*.example.com", "w*.example.com" +or "*w.example.com". + +Per section 6.4.2 of RFC 6125, B values representing international +domain names must be given in A-label form. The B argument +must be the number of characters in the name string or zero in which +case the length is calculated with strlen(B). When B starts +with a dot (e.g ".example.com"), it will be matched by a certificate +valid for any sub-domain of B, (see also +B below). + +When the certificate is matched, and B is not NULL, a +pointer to a copy of the matching SAN or CN from the peer certificate +is stored at the address passed in B. The application +is responsible for freeing the peername via OPENSSL_free() when it +is no longer needed. X509_check_email() checks if the certificate matches the specified -email address. Only the mailbox syntax of RFC 822 is supported, +email B
. Only the mailbox syntax of RFC 822 is supported, comments are not allowed, and no attempt is made to normalize quoted characters. The B argument must be the number of -characters in the address string. The B argument must be -the number of characters in the name string or zero in which case the -length is calculated with strlen(name). +characters in the address string or zero in which case the length +is calculated with strlen(B
). X509_check_ip() checks if the certificate matches a specified IPv4 or IPv6 address. The B
array is in binary format, in network @@ -110,6 +113,14 @@ and -1 for an internal error: typically a memory allocation failure. X509_check_ip_asc() can also return -2 if the IP address string is malformed. +=head1 NOTES + +Applications are encouraged to use X509_VERIFY_PARAM_set1_host() +rather than explicitly calling L. Host name +checks are out of scope with the DANE-EE(3) certificate usage, +and the internal checks will be suppressed as appropriate when +DANE support is added to OpenSSL. + =head1 SEE ALSO L, -- 2.25.1