1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5e71b7053SJung-uk KimSSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername - 6e71b7053SJung-uk KimSSL server verification parameters 7e71b7053SJung-uk Kim 8e71b7053SJung-uk Kim=head1 SYNOPSIS 9e71b7053SJung-uk Kim 10e71b7053SJung-uk Kim #include <openssl/ssl.h> 11e71b7053SJung-uk Kim 12e71b7053SJung-uk Kim int SSL_set1_host(SSL *s, const char *hostname); 13e71b7053SJung-uk Kim int SSL_add1_host(SSL *s, const char *hostname); 14e71b7053SJung-uk Kim void SSL_set_hostflags(SSL *s, unsigned int flags); 15e71b7053SJung-uk Kim const char *SSL_get0_peername(SSL *s); 16e71b7053SJung-uk Kim 17e71b7053SJung-uk Kim=head1 DESCRIPTION 18e71b7053SJung-uk Kim 19e71b7053SJung-uk KimThese functions configure server hostname checks in the SSL client. 20e71b7053SJung-uk Kim 21e71b7053SJung-uk KimSSL_set1_host() sets the expected DNS hostname to B<name> clearing 22*b077aed3SPierre Proncheryany previously specified hostname. If B<name> is NULL 23*b077aed3SPierre Proncheryor the empty string, the list of hostnames is cleared and name 2458f35182SJung-uk Kimchecks are not performed on the peer certificate. When a nonempty 25e71b7053SJung-uk KimB<name> is specified, certificate verification automatically checks 26e71b7053SJung-uk Kimthe peer hostname via L<X509_check_host(3)> with B<flags> as specified 27e71b7053SJung-uk Kimvia SSL_set_hostflags(). Clients that enable DANE TLSA authentication 28e71b7053SJung-uk Kimvia L<SSL_dane_enable(3)> should leave it to that function to set 29e71b7053SJung-uk Kimthe primary reference identifier of the peer, and should not call 30e71b7053SJung-uk KimSSL_set1_host(). 31e71b7053SJung-uk Kim 32e71b7053SJung-uk KimSSL_add1_host() adds B<name> as an additional reference identifier 33e71b7053SJung-uk Kimthat can match the peer's certificate. Any previous names set via 34e71b7053SJung-uk KimSSL_set1_host() or SSL_add1_host() are retained, no change is made 35e71b7053SJung-uk Kimif B<name> is NULL or empty. When multiple names are configured, 36e71b7053SJung-uk Kimthe peer is considered verified when any name matches. This function 37e71b7053SJung-uk Kimis required for DANE TLSA in the presence of service name indirection 38e71b7053SJung-uk Kimvia CNAME, MX or SRV records as specified in RFC7671, RFC7672 or 39e71b7053SJung-uk KimRFC7673. 40e71b7053SJung-uk Kim 41e71b7053SJung-uk KimSSL_set_hostflags() sets the B<flags> that will be passed to 42e71b7053SJung-uk KimL<X509_check_host(3)> when name checks are applicable, by default 43e71b7053SJung-uk Kimthe B<flags> value is 0. See L<X509_check_host(3)> for the list 44e71b7053SJung-uk Kimof available flags and their meaning. 45e71b7053SJung-uk Kim 46e71b7053SJung-uk KimSSL_get0_peername() returns the DNS hostname or subject CommonName 47e71b7053SJung-uk Kimfrom the peer certificate that matched one of the reference 48e71b7053SJung-uk Kimidentifiers. When wildcard matching is not disabled, the name 49e71b7053SJung-uk Kimmatched in the peer certificate may be a wildcard name. When one 50e71b7053SJung-uk Kimof the reference identifiers configured via SSL_set1_host() or 51e71b7053SJung-uk KimSSL_add1_host() starts with ".", which indicates a parent domain prefix 52e71b7053SJung-uk Kimrather than a fixed name, the matched peer name may be a sub-domain 53e71b7053SJung-uk Kimof the reference identifier. The returned string is allocated by 54e71b7053SJung-uk Kimthe library and is no longer valid once the associated B<ssl> handle 55e71b7053SJung-uk Kimis cleared or freed, or a renegotiation takes place. Applications 56e71b7053SJung-uk Kimmust not free the return value. 57e71b7053SJung-uk Kim 58e71b7053SJung-uk KimSSL clients are advised to use these functions in preference to 59e71b7053SJung-uk Kimexplicitly calling L<X509_check_host(3)>. Hostname checks may be out 60e71b7053SJung-uk Kimof scope with the RFC7671 DANE-EE(3) certificate usage, and the 61e71b7053SJung-uk Kiminternal check will be suppressed as appropriate when DANE is 62e71b7053SJung-uk Kimenabled. 63e71b7053SJung-uk Kim 64e71b7053SJung-uk Kim=head1 RETURN VALUES 65e71b7053SJung-uk Kim 66e71b7053SJung-uk KimSSL_set1_host() and SSL_add1_host() return 1 for success and 0 for 67e71b7053SJung-uk Kimfailure. 68e71b7053SJung-uk Kim 69e71b7053SJung-uk KimSSL_get0_peername() returns NULL if peername verification is not 70e71b7053SJung-uk Kimapplicable (as with RFC7671 DANE-EE(3)), or no trusted peername was 71e71b7053SJung-uk Kimmatched. Otherwise, it returns the matched peername. To determine 72e71b7053SJung-uk Kimwhether verification succeeded call L<SSL_get_verify_result(3)>. 73e71b7053SJung-uk Kim 74da327cd2SJung-uk Kim=head1 EXAMPLES 75e71b7053SJung-uk Kim 76e71b7053SJung-uk KimSuppose "smtp.example.com" is the MX host of the domain "example.com". 77e71b7053SJung-uk KimThe calls below will arrange to match either the MX hostname or the 78e71b7053SJung-uk Kimdestination domain name in the SMTP server certificate. Wildcards 79e71b7053SJung-uk Kimare supported, but must match the entire label. The actual name 80e71b7053SJung-uk Kimmatched in the certificate (which might be a wildcard) is retrieved, 81e71b7053SJung-uk Kimand must be copied by the application if it is to be retained beyond 82e71b7053SJung-uk Kimthe lifetime of the SSL connection. 83e71b7053SJung-uk Kim 84e71b7053SJung-uk Kim SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); 85e71b7053SJung-uk Kim if (!SSL_set1_host(ssl, "smtp.example.com")) 86e71b7053SJung-uk Kim /* error */ 87e71b7053SJung-uk Kim if (!SSL_add1_host(ssl, "example.com")) 88e71b7053SJung-uk Kim /* error */ 89e71b7053SJung-uk Kim 90e71b7053SJung-uk Kim /* XXX: Perform SSL_connect() handshake and handle errors here */ 91e71b7053SJung-uk Kim 92e71b7053SJung-uk Kim if (SSL_get_verify_result(ssl) == X509_V_OK) { 93e71b7053SJung-uk Kim const char *peername = SSL_get0_peername(ssl); 94e71b7053SJung-uk Kim 95e71b7053SJung-uk Kim if (peername != NULL) 96e71b7053SJung-uk Kim /* Name checks were in scope and matched the peername */ 97e71b7053SJung-uk Kim } 98e71b7053SJung-uk Kim 99e71b7053SJung-uk Kim=head1 SEE ALSO 100e71b7053SJung-uk Kim 101*b077aed3SPierre ProncheryL<ssl(7)>, 102e71b7053SJung-uk KimL<X509_check_host(3)>, 103e71b7053SJung-uk KimL<SSL_get_verify_result(3)>. 104e71b7053SJung-uk KimL<SSL_dane_enable(3)>. 105e71b7053SJung-uk Kim 106e71b7053SJung-uk Kim=head1 HISTORY 107e71b7053SJung-uk Kim 1086935a639SJung-uk KimThese functions were added in OpenSSL 1.1.0. 109e71b7053SJung-uk Kim 110e71b7053SJung-uk Kim=head1 COPYRIGHT 111e71b7053SJung-uk Kim 11258f35182SJung-uk KimCopyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. 113e71b7053SJung-uk Kim 114*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 115e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 116e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 117e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 118e71b7053SJung-uk Kim 119e71b7053SJung-uk Kim=cut 120