]>
Commit | Line | Data |
---|---|---|
919ba009 VD |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
1bc74519 RS |
5 | SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername - |
6 | SSL server verification parameters | |
919ba009 VD |
7 | |
8 | =head1 SYNOPSIS | |
9 | ||
10 | #include <openssl/ssl.h> | |
919ba009 VD |
11 | |
12 | int SSL_set1_host(SSL *s, const char *hostname); | |
13 | int SSL_add1_host(SSL *s, const char *hostname); | |
14 | void SSL_set_hostflags(SSL *s, unsigned int flags); | |
4588cb44 | 15 | const char *SSL_get0_peername(SSL *s); |
919ba009 VD |
16 | |
17 | =head1 DESCRIPTION | |
18 | ||
19 | These functions configure server hostname checks in the SSL client. | |
20 | ||
21 | SSL_set1_host() sets the expected DNS hostname to B<name> clearing | |
2d3c5ee1 P |
22 | any previously specified hostname. If B<name> is NULL |
23 | or the empty string, the list of hostnames is cleared and name | |
919ba009 VD |
24 | checks are not performed on the peer certificate. When a non-empty |
25 | B<name> is specified, certificate verification automatically checks | |
26 | the peer hostname via L<X509_check_host(3)> with B<flags> as specified | |
27 | via SSL_set_hostflags(). Clients that enable DANE TLSA authentication | |
28 | via L<SSL_dane_enable(3)> should leave it to that function to set | |
29 | the primary reference identifier of the peer, and should not call | |
30 | SSL_set1_host(). | |
31 | ||
32 | SSL_add1_host() adds B<name> as an additional reference identifier | |
33 | that can match the peer's certificate. Any previous names set via | |
34 | SSL_set1_host() or SSL_add1_host() are retained, no change is made | |
35 | if B<name> is NULL or empty. When multiple names are configured, | |
36 | the peer is considered verified when any name matches. This function | |
63b65834 | 37 | is required for DANE TLSA in the presence of service name indirection |
919ba009 VD |
38 | via CNAME, MX or SRV records as specified in RFC7671, RFC7672 or |
39 | RFC7673. | |
40 | ||
41 | SSL_set_hostflags() sets the B<flags> that will be passed to | |
42 | L<X509_check_host(3)> when name checks are applicable, by default | |
43 | the B<flags> value is 0. See L<X509_check_host(3)> for the list | |
44 | of available flags and their meaning. | |
45 | ||
46 | SSL_get0_peername() returns the DNS hostname or subject CommonName | |
47 | from the peer certificate that matched one of the reference | |
48 | identifiers. When wildcard matching is not disabled, the name | |
49 | matched in the peer certificate may be a wildcard name. When one | |
50 | of the reference identifiers configured via SSL_set1_host() or | |
51 | SSL_add1_host() starts with ".", which indicates a parent domain prefix | |
52 | rather than a fixed name, the matched peer name may be a sub-domain | |
53 | of the reference identifier. The returned string is allocated by | |
54 | the library and is no longer valid once the associated B<ssl> handle | |
55 | is cleared or freed, or a renegotiation takes place. Applications | |
56 | must not free the return value. | |
57 | ||
58 | SSL clients are advised to use these functions in preference to | |
55a6250f | 59 | explicitly calling L<X509_check_host(3)>. Hostname checks may be out |
919ba009 VD |
60 | of scope with the RFC7671 DANE-EE(3) certificate usage, and the |
61 | internal check will be suppressed as appropriate when DANE is | |
62 | enabled. | |
63 | ||
64 | =head1 RETURN VALUES | |
65 | ||
66 | SSL_set1_host() and SSL_add1_host() return 1 for success and 0 for | |
67 | failure. | |
68 | ||
69 | SSL_get0_peername() returns NULL if peername verification is not | |
70 | applicable (as with RFC7671 DANE-EE(3)), or no trusted peername was | |
71 | matched. Otherwise, it returns the matched peername. To determine | |
72 | whether verification succeeded call L<SSL_get_verify_result(3)>. | |
73 | ||
cda77422 | 74 | =head1 EXAMPLES |
919ba009 VD |
75 | |
76 | Suppose "smtp.example.com" is the MX host of the domain "example.com". | |
77 | The calls below will arrange to match either the MX hostname or the | |
78 | destination domain name in the SMTP server certificate. Wildcards | |
79 | are supported, but must match the entire label. The actual name | |
80 | matched in the certificate (which might be a wildcard) is retrieved, | |
81 | and must be copied by the application if it is to be retained beyond | |
82 | the lifetime of the SSL connection. | |
83 | ||
2947af32 BB |
84 | SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); |
85 | if (!SSL_set1_host(ssl, "smtp.example.com")) | |
86 | /* error */ | |
87 | if (!SSL_add1_host(ssl, "example.com")) | |
88 | /* error */ | |
89 | ||
90 | /* XXX: Perform SSL_connect() handshake and handle errors here */ | |
91 | ||
92 | if (SSL_get_verify_result(ssl) == X509_V_OK) { | |
93 | const char *peername = SSL_get0_peername(ssl); | |
94 | ||
95 | if (peername != NULL) | |
96 | /* Name checks were in scope and matched the peername */ | |
97 | } | |
919ba009 VD |
98 | |
99 | =head1 SEE ALSO | |
100 | ||
98ca37e4 | 101 | L<ssl(7)>, |
919ba009 VD |
102 | L<X509_check_host(3)>, |
103 | L<SSL_get_verify_result(3)>. | |
104 | L<SSL_dane_enable(3)>. | |
105 | ||
106 | =head1 HISTORY | |
107 | ||
fc5ecadd | 108 | These functions were added in OpenSSL 1.1.0. |
919ba009 | 109 | |
e2f92610 RS |
110 | =head1 COPYRIGHT |
111 | ||
83cf7abf | 112 | Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 113 | |
4746f25a | 114 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
115 | this file except in compliance with the License. You can obtain a copy |
116 | in the file LICENSE in the source distribution or at | |
117 | L<https://www.openssl.org/source/license.html>. | |
118 | ||
119 | =cut |