Topic: Feature Request CyaSSL_check_domain_name()

Dear Team

currently CyaSSL_check_domain_name() does not verify altName's in the cert.

It would be great if have a 3th parameter for this, ie:
CyaSSL_check_domain_name(CYASSL* ssl, const char* dn, int checkAltName)
or similar.

Waht do you think?

Thank you for wolfSSL... 100% Top!
Greetings Hans-Jürgen Petrich

Share

Re: Feature Request CyaSSL_check_domain_name()

Hi Hans-Jürgen,

DoCertificate() uses the domainName buffer supplied to CyaSSL_check_domain_name() to check a direct domain name match with MatchDomainName().  If that check fails, it tries the alt names next with CheckAltNames().  Are you using an older version that didn't have this?

Thanks,
-Todd

Share

Re: Feature Request CyaSSL_check_domain_name()

Hallo Todd, thank you for your reply.
Ohh,  i have to check it again (btw: i'm using the Version 3.2.0).
Maybe it's because i have to deal with wildcard* (alt)names in the cert. Does CyaSSL_check_domain_name() support wildcard (alt)names?

Thank you very much für your help.
Best greetings
Hans-Jürgen Petrich

Share

Re: Feature Request CyaSSL_check_domain_name()

Yes, wildcards are supported, each wildcard can represent a single name component or fragment but not mulitple names, that is, *.z.com matches y.z.com but not x.y.z.com.

Thanks,
-Todd

Share

Re: Feature Request CyaSSL_check_domain_name()

Hi Todd

In my test:

wget http://www.startssl.com/certs/ca.pem
examples/client/client -h jabber.se -p 443 -v 1 -A ./ca.pem -m

Fails (on my local Windows7 machine) with:

err = -322, peer subject name mismatch
yassl error: SSL_connect failed

While

examples/client/client -h www.jabber.se -p 443 -v 1 -A ./ca.pem -m

Works.

issuer : /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
subject: /C=SE/CN=www.jabber.se/emailAddress=postmaster@jabber.se
altname = jabber.se
altname = www.jabber.se
serial number:10:36:d9

In the (StartSSL) cert, the CN=www.jabber.se and altname=jabber.se... so it should work... should'nt it?

Or did i miss something?

Thank you for your time.
Greetings Hans-Jürgen Petrich


PS: client.exe was compiled on windows7(64bit) with mwing32 with the following ./configure

./configure C_EXTRA_FLAGS="-DFP_MAX_BITS=8192" --host=i386-pc-mingw32 --enable-fastmath --enable-opensslextra --enable-sni --enable-sha512 --enable-sha --enable-aesgcm --enable-aesccm --enable-ecc --enable-sessioncerts --enable-hc128 && make

Share