[ldns-users] Hostname verification in certificate chain?
noloader at gmail.com
Wed Feb 5 17:12:35 UTC 2020
I may be parsing use of X509_verify_cert incorrectly... but it does
not appear hostname matching and verification is occurring in dane.c.
If I recall correctly... For OpenSSL 1.0.2, you had to manually match
the server name in the request with hostname in the end entity
certificate. It made using OpenSSL 1.0.2 a drag. Also see
https://wiki.openssl.org/index.php/SSL/TLS_Client on the OpenSSL wiki.
For OpenSSL 1.1.x, you use X509_VERIFY_PARAM_set_hostflags and
X509_check_host to have the library do it. But I don't see a call to
X509_VERIFY_PARAM_set_hostflags. Also see
https://wiki.openssl.org/index.php/Hostname_validation on the OpenSSL
Can someone familiar with the OpenSSL code in dane.c please take a look at it.
Lack of hostname verification is a CVE item. If hostname verification
is not occurring, then that should be listed in the README so folks
are aware of the risk.
Sorry to bring this up.
More information about the ldns-users