Hi,
securely verifying the CN of a x509 cert seams to pretty easy, since the
length of the CN field is returned by X509_NAME_get_text_by_NID().
Unfortunately the length of single fields in the x509v3 extension are
not returned. Assuming a value contains a NUL-character, we cannot
distinguish between real EOS marker and allowed NUL-chars.
Do I need to convert the whole extension manually or does openssl
provide a way to determine the length of an element from an extension?
Other libs provide whole functions that internally verify all CNs with a
given hostname but openssl does not provide this functionality which
leads to severel custom implementations in client software using libssl.
A common way to check alternative CN DNS' entries seems to be (this
implementation fails to check the length of course):
http://etutorials.org/Programming/secure+programming/Chapter+10.+Public+Key+Infrastructure/10.8+Adding+Hostname+Checking+to+Certificate+Verification/
Regards,
Leon Winter
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org