Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
From the open ssl document presented for the function “SSL_get_verify_result” here:
http://www.openssl.org/docs/ssl/SSL_get_verify_result.html
It states that the errors are given here:
http://www.openssl.org/docs/apps/verify.html
So which of these errors will be invoked if there is an SSL host Mismatch error?
i.e hostname in certificate and hostname from request is different?
And also which of those errors can actually be safe to ignore?
SSL_get_verify_result doesnot do a hostname mismatch search. We have to do that manually taking into consideration multiple CN’s and subject alternative names(SAN’s) that come in the certificate.
The functions that can be used for handling multiple CN’s are :
calling X509_NAME_get_index_by_NID again using the new lastpos will give us the next CN until it returns -1 which says there are no more CN’s available.
this function gives a
X509_NAME_ENTRY *, which can be converted tochar *usingASN1_STRING_to_UTF8.Be sure to consider the wildcards that come in the SAN’s and CN’s