[ldns-users] Hostname verification in certificate chain?

Willem Toorop willem at nlnetlabs.nl
Thu Feb 6 11:20:23 UTC 2020

Hi Jeff,

Indeed, the ldns_dane_verify() and ldns_dane_verify_rr() functions do
not perform server name checks as is also mentioned in the documentation
for the individual functions in dane.h:

 * BEWARE! The ldns dane verification functions do *not* do server name
 * checks.  The user has to perform additional server name checks
 * themselves!

and in the doxygen documentation here:


and here:


Kind regards,
-- Willem

Op 05-02-2020 om 18:12 schreef Jeffrey Walton via ldns-users:
> Hi Everyone,
> I may be parsing use of X509_verify_cert incorrectly... but it does
> not appear hostname matching and verification is occurring in dane.c.
> If I recall correctly... For OpenSSL 1.0.2, you had to manually match
> the server name in the request with hostname in the end entity
> certificate. It made using OpenSSL 1.0.2 a drag. Also see
> https://wiki.openssl.org/index.php/SSL/TLS_Client on the OpenSSL wiki.
> For OpenSSL 1.1.x, you use X509_VERIFY_PARAM_set_hostflags and
> X509_check_host to have the library do it. But I don't see a call to
> X509_VERIFY_PARAM_set_hostflags. Also see
> https://wiki.openssl.org/index.php/Hostname_validation on the OpenSSL
> wiki.
> Can someone familiar with the OpenSSL code in dane.c please take a look at it.
> Lack of hostname verification is a CVE item. If hostname verification
> is not occurring, then that should be listed in the README so folks
> are aware of the risk.
> Sorry to bring this up.
> Jeff
> _______________________________________________
> ldns-users mailing list
> ldns-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/ldns-users

More information about the ldns-users mailing list