| =pod |
| |
| =head1 NAME |
| |
| SSL_set1_dnsname, SSL_add1_dnsname, |
| SSL_set1_ipaddr, SSL_add1_ipaddr, |
| SSL_set1_host, SSL_add1_host, |
| SSL_set_hostflags, SSL_get0_peername - |
| SSL server verification parameters |
| |
| =head1 SYNOPSIS |
| |
| #include <openssl/ssl.h> |
| |
| int SSL_set1_host(SSL *s, const char *host); |
| int SSL_add1_host(SSL *s, const char *host); |
| int SSL_set1_dnsname(SSL *s, const char *dnsname); |
| int SSL_add1_dnsname(SSL *s, const char *dnsname); |
| int SSL_set1_ipaddr(SSL *s, const uint8_t *ip_asc); |
| int SSL_add1_ipaddr(SSL *s, const char *ip_asc); |
| void SSL_set_hostflags(SSL *s, unsigned int flags); |
| const char *SSL_get0_peername(SSL *s); |
| |
| int SSL_set1_host(SSL *s, const char *host); |
| int SSL_add1_host(SSL *s, const char *host); |
| |
| =head1 DESCRIPTION |
| |
| These functions maintain lists of expected matches for peer |
| certificate subject alternative name (SAN) values is peer certificates |
| presented in an SSL connection. A peer certificate will be considered |
| a match for validation purposes if all of the following are true: |
| |
| * Any name in the dnsname list, if not empty, matches any SAN dnsname |
| in the certificate. If verification flags allow it, these will also |
| attempt to match against the CN in the subject. |
| |
| * Any address in the IP address list, if not empty, matches any IP |
| address SAN in the certificate. |
| |
| The set1 family of functions clears the list, and sets the first value |
| to the provided parameter if the provided parameter is not NULL. |
| |
| The add1 family of functions adds a single entry to the list. |
| |
| SSL_set1_dnsname() clears the list of dnsnames to match certificate |
| SAN dnsnames. |
| If I<dnsname> is not NULL, it will be checked for |
| validity and added to the list of DNS name reference identifiers as its first entry. |
| |
| SSL_set1_ipaddr() clears the list of addresses to match certificate IP address SANs. |
| If <ip_asc> is not NULL, it is parsed as an |
| IPv4 or IPv6 address and added to the list as its first entry. |
| |
| SSL_add1_dnsname() adds I<dnsname> to the list of DNS name reference |
| identifiers, if it has the correct structure for a DNS name. This |
| function is required for DANE TLSA in the presence of service name |
| indirection via CNAME, MX or SRV records as specified in RFCs 7671, |
| 7672, and 7673. |
| |
| SSL_add1_ipaddr() adds I<ip_asc> to the list of IP addresses, if it parses as an IP address. |
| |
| It is recommended that TLS clients use SSL_set1_dnsname() to configure server |
| hostname validation and L<SSL_set_tlsext_host_name(3)> to configure |
| Server Name Indication (SNI), which may be crucial also for correct |
| server certificate selection and/or routing of the connection request. |
| SSL_set1_ipaddr() |
| should be used for server IP address validation, |
| |
| SSL_set_hostflags() sets the I<flags> that will be passed to |
| L<X509_check_host(3)> when name checks are applicable, by default |
| the I<flags> value is 0. See L<X509_check_host(3)> for the list |
| of available flags and their meaning. |
| |
| SSL_get0_peername() returns the DNS hostname or subject CommonName |
| from the peer certificate that matched one of the reference |
| identifiers. When wildcard matching is not disabled, the name |
| matched in the peer certificate may be a wildcard name. When one |
| of the reference identifiers configured via SSL_set1_host() or |
| SSL_add1_host() starts with ".", which indicates a parent domain prefix |
| rather than a fixed name, the matched peer name may be a sub-domain |
| of the reference identifier. The returned string is allocated by |
| the library and is no longer valid once the associated I<ssl> handle |
| is cleared or freed, or a renegotiation takes place. Applications |
| must not free the return value. |
| |
| SSL clients are advised to use these functions in preference to |
| explicitly calling L<X509_check_host(3)>. Hostname checks may be out |
| of scope with the RFC 7671 DANE-EE(3) certificate usage, and the |
| internal check will be suppressed as appropriate when DANE is |
| enabled. |
| |
| ==head1 DEPRECATED FUNCTIONS |
| |
| SSL_set1_host and SSL_add1_host are deprecated as of OpenSSL 4.0.0. |
| SSL_set1_dnsname(), SSL_add1_dnsname(), SSL_set1_ipaddr() and SSL_add1_ipaddr() should be used instead. |
| |
| SSL_set1_host() sets in the verification parameters of I<s> |
| the expected DNS hostname or IP address to I<host>, |
| clearing any previously specified IP address and hostnames. |
| If I<host> is NULL or the empty string, IP address |
| and hostname checks are not performed on the peer certificate. |
| When a nonempty I<host> is specified, certificate verification automatically |
| checks the peer hostname via L<X509_check_host(3)> with I<flags> as specified |
| via SSL_set_hostflags(). Clients that enable DANE TLSA authentication |
| via L<SSL_dane_enable(3)> should leave it to that function to set |
| the primary reference identifier of the peer, and should not call |
| SSL_set1_host(). |
| |
| SSL_add1_host() adds I<host> as an additional reference identifier |
| that can match the peer's certificate. Any previous hostnames set via |
| SSL_set1_host() or SSL_add1_host() are retained. Adding an IP address |
| is allowed only if no IP address has been set before. No change is |
| made if I<host> is NULL or empty. The peer is considered verified |
| when any of the added hostnames, if present, match, and the provided |
| IP address, if present, matches. |
| |
| =head1 RETURN VALUES |
| |
| SSL_set1_dnsname(), SSL_set1_ipaddr(), |
| SSL_add1_dnsname(), SSL_add1_ipaddr(), |
| SSL_set1_host() and SSL_add1_host() return 1 for success and 0 for |
| failure. |
| |
| SSL_set_hostflags() returns nothing at all. |
| |
| SSL_get0_peername() returns NULL if peername verification is not |
| applicable (as with RFC 7671 DANE-EE(3)), or no trusted peername was |
| matched. Otherwise, it returns the matched peername. To determine |
| whether verification succeeded call L<SSL_get_verify_result(3)>. |
| |
| =head1 EXAMPLES |
| |
| Suppose "smtp.example.com" is the MX host of the domain "example.com". |
| The calls below will arrange to match either the MX hostname or the |
| destination domain name in the SMTP server certificate. Wildcards |
| are supported, but must match the entire label. The actual name |
| matched in the certificate (which might be a wildcard) is retrieved, |
| and must be copied by the application if it is to be retained beyond |
| the lifetime of the SSL connection. |
| |
| SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); |
| if (!SSL_set1_dnsname(ssl, "smtp.example.com")) |
| /* error */ |
| if (!SSL_add1_dnsname(ssl, "example.com")) |
| /* error */ |
| |
| /* XXX: Perform SSL_connect() handshake and handle errors here */ |
| |
| if (SSL_get_verify_result(ssl) == X509_V_OK) { |
| const char *peername = SSL_get0_peername(ssl); |
| |
| if (peername != NULL) |
| /* Name checks were in scope and matched the peername */ |
| } |
| |
| =head1 SEE ALSO |
| |
| L<ssl(7)>, |
| L<X509_check_host(3)>, L<SSL_set_tlsext_host_name(3)>, |
| L<SSL_get_verify_result(3)>, L<SSL_dane_enable(3)> |
| |
| =head1 HISTORY |
| |
| These functions were added in OpenSSL 1.1.0. |
| |
| SSL_set1_host and SSL_add1_host were deprecated in OpenSSL 4.0.0 |
| |
| =head1 COPYRIGHT |
| |
| Copyright 2016-2026 The OpenSSL Project Authors. All Rights Reserved. |
| |
| Licensed under the Apache License 2.0 (the "License"). You may not use |
| this file except in compliance with the License. You can obtain a copy |
| in the file LICENSE in the source distribution or at |
| L<https://www.openssl.org/source/license.html>. |
| |
| =cut |
