Topic: SSL certificate hostname verification

Hi All,

We have been using and testing embedded SSL functionality of wolfSSL. Until now, everything works fine. But I am wondering whether and how hostname verification is supported when the client does server certificate verification.

For hostname verification, the client shall try to match the fully qualified DNS name (IP address and port) of the requested server to one of the identifiers in the server certificate. There is the method wolfSSL_set_fd(WOLFSSL* ssl, int fd) to pass in connection information such as IP address and port. But I did not find the place in the source code where this information is used for validation.

Could you please advice?

Thanks, Yun

Share

Re: SSL certificate hostname verification

Hi Yun,

But I did not find the place in the source code where this information is used for validation.

i think you are looking for:

wolfSSL_check_domain_name()
https://github.com/cyassl/cyassl/blob/m … ent.c#L628

and maybe additional also for:
wolfSSL_CTX_load_verify_locations()
https://github.com/cyassl/cyassl/blob/m … ent.c#L535

Greetings Hans-Jürgen

Share

Re: SSL certificate hostname verification

Hi Hans-Jürgen,

I added the following function wolfSSL_check_domain_name(ssl, host) before calling wolfSSL_connect (ssl). This ensures hostname verification will be done during the handshake (in the DoCertificate() method).

Thanks!
Yun

Share