I was looking through the docs on the upcoming X509_check_host(3) and friends (https://www.openssl.org/docs/crypto/X509_check_host.html) and I have a few questions.
#include <openssl/x509.h> int X509_check_host(X509 *, const unsigned char *name, size_t namelen, unsigned int flags); int X509_check_email(X509 *, const unsigned char *address, size_t addresslen, unsigned int flags); int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen, unsigned int flags); int X509_check_ip_asc(X509 *, const char *address, unsigned int flags); ***** For a flags of 0: The flags argument is usually 0. It can be the bitwise OR of the flags... What type of wildcard matching occurs with a flags of 0? Or does wildcard matching *not* occur with a flag of 0? I guess what I am asking: what is the default behavior. Its not clear from the basic description. ***** For X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS: If set, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS suppresses support for ``*'' as wildcard pattern in labels that have a prefix or suffix, such as: ``www*'' or ``*www''; this only aplies to X509_check_host. Is that the "leftmost" rule? I.e., a wildcard must be at the leftmost label? ***** What is the purpose of allowing a leading dot for a hostname? I.e., why is ".example.com" allowed? A leading dot does not appear to be a valid hostname nor a well formed FQDN. I don't recall reading about it in the RFCs or the CA/B Forums (RFCs 5280, 6125 or CA/B Baseline Requirements). I would expect a certificate with it to be rejected as malformed. ***** Is their an intersection with EV OIDs? Or is it out of scope for host name matching? According to the CA/B EV Guide, wildcards are not allowed in EV certificates. So I would expect a wilcarded cert to be rejected as malformed if its an EV certificate. ***** Would it be possible to receive the reason for a failure? For example, I would consider a DNS name in the CN as a soft failure that I could recover from (both the RFC and CA/B Forums have deprecated the practice, but its still frequently encountered). But a wildcard match with trickery, such as a DNS name of "*.com", would be a hard failure that I would not attempt to recover from. As another example, Java will fail a cert for overlapping DNS names in Subject Alt Names of a certificate, like having both "*.com" and "www.*.com" or having both "*.com" and "example.com" So maybe something like the following, where `reason` is an optional bitmask that is valid *if* the function fails. int X509_check_host(X509 *, const unsigned char *name, size_t namelen, unsigned int flags, int* reason); Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org