Yes, indeed I don't want to take into account the CN, only the SANs. Thanks
for the extra flag and all the clarifications!
Best regards,
Theodor
>
>
> > > > For now I am using X509_VERIFY_PARAM_set1_host with
> SSL_CTX_set1_param to
> > > > do this specific check.
> > >
> > > That's the
On Sat, Mar 28, 2020 at 10:56:20PM +0200, George-Theodor Serbana wrote:
> > > For now I am using X509_VERIFY_PARAM_set1_host with SSL_CTX_set1_param to
> > > do this specific check.
> >
> > That's the slightly less convenient legacy API from OpenSSL 1.0.2.
> > In 1.1.0 and later, you can
> I am writing a SSL/TLS client (using Boost.Beast but underlying it's using
> OpenSSL) and although I have set on the SSL context the 'verify_peer'
flag,
> there is no verification to prove the server presents an X509 which
> contains in the Subject Alternative Names the hostname of that server.
On Fri, Mar 27, 2020 at 07:38:35PM +0200, George-Theodor Serbana wrote:
> I am writing a SSL/TLS client (using Boost.Beast but underlying it's using
> OpenSSL) and although I have set on the SSL context the 'verify_peer' flag,
> there is no verification to prove the server presents an X509 which
I am writing a SSL/TLS client (using Boost.Beast but underlying it's using
OpenSSL) and although I have set on the SSL context the 'verify_peer' flag,
there is no verification to prove the server presents an X509 which
contains in the Subject Alternative Names the hostname of that server.
As this