On Sat, May 17, 2014 at 04:13:59PM +0000, Viktor Dukhovni wrote: > If (likely when) my patch for X509_check_host() is adopted you'll want > to specify a non-zero value for the final "flags" argument: > > X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS > > I'll drop you a note when this happens. With this flag wildcards > can only take the form "*.example.com", not "mx*.example.com" or > "*mx.example.com". The latter are not applicable to SMTP per > RFC 6125, the DANE draft or the upcoming MTA-to-MTA namechecks > draft from the UTA working group.
My patch is now in the OpenSSL master (a.k.a. 1.1.0-dev) and 1.0.2 branches. Therefore you can now begin to use the X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS flag with X509_check_host() with OpenSSL 1.0.2 or greater. It may be best to test the OpenSSL version macro as follows: OPENSSL_VERSION_NUMBER > 0x10002002L which only becomes true after 1.0.2-beta2 which is the last release without the hostname check update. Alternatively, you can just check for: #ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS or if you only want to start 1.0.2 support with the official release rather than beta versions: OPENSSL_VERSION_NUMBER > 0x1000200fL the last nibble is the beta release level, with "f" meaning not a beta release. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##