Startseite Erkunden Hilfe
Anmelden
dream
/
Android_verify
1
1
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: af1c26ddb5
Branches Tags
Android_verify
/
lib
/
openssl
/
share
/
man
/
man3
/
SSL_set1_host.3ossl

SSL_set1_host.3ossl 6.3 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173 
  1. .\" -*- mode: troff; coding: utf-8 -*-
    2. 

  2. .\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
    3. 

  3. .\"
    4. 

  4. .\" Standard preamble:
    5. 

  5. .\" ========================================================================
    6. 

  6. .de Sp \" Vertical space (when we can't use .PP)
    7. 

  7. .if t .sp .5v
    8. 

  8. .if n .sp
    9. 

  9. ..
    10. 

  10. .de Vb \" Begin verbatim text
    11. 

  11. .ft CW
    12. 

  12. .nf
    13. 

  13. .ne \\$1
    14. 

  14. ..
    15. 

  15. .de Ve \" End verbatim text
    16. 

  16. .ft R
    17. 

  17. .fi
    18. 

  18. ..
    19. 

  19. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
    20. 

  20. .ie n \{\
    21. 

  21. .    ds C` ""
    22. 

  22. .    ds C' ""
    23. 

  23. 'br\}
    24. 

  24. .el\{\
    25. 

  25. .    ds C`
    26. 

  26. .    ds C'
    27. 

  27. 'br\}
    28. 

  28. .\"
    29. 

  29. .\" Escape single quotes in literal strings from groff's Unicode transform.
    30. 

  30. .ie \n(.g .ds Aq \(aq
    31. 

  31. .el       .ds Aq '
    32. 

  32. .\"
    33. 

  33. .\" If the F register is >0, we'll generate index entries on stderr for
    34. 

  34. .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
    35. 

  35. .\" entries marked with X<> in POD.  Of course, you'll have to process the
    36. 

  36. .\" output yourself in some meaningful fashion.
    37. 

  37. .\"
    38. 

  38. .\" Avoid warning from groff about undefined register 'F'.
    39. 

  39. .de IX
    40. 

  40. ..
    41. 

  41. .nr rF 0
    42. 

  42. .if \n(.g .if rF .nr rF 1
    43. 

  43. .if (\n(rF:(\n(.g==0)) \{\
    44. 

  44. .    if \nF \{\
    45. 

  45. .        de IX
    46. 

  46. .        tm Index:\\$1\t\\n%\t"\\$2"
    47. 

  47. ..
    48. 

  48. .        if !\nF==2 \{\
    49. 

  49. .            nr % 0
    50. 

  50. .            nr F 2
    51. 

  51. .        \}
    52. 

  52. .    \}
    53. 

  53. .\}
    54. 

  54. .rr rF
    55. 

  55. .\" ========================================================================
    56. 

  56. .\"
    57. 

  57. .IX Title "SSL_SET1_HOST 3ossl"
    58. 

  58. .TH SSL_SET1_HOST 3ossl 2025-01-17 3.4.0 OpenSSL
    59. 

  59. .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
    60. 

  60. .\" way too many mistakes in technical documents.
    61. 

  61. .if n .ad l
    62. 

  62. .nh
    63. 

  63. .SH NAME
    64. 

  64. SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername \-
    65. 

  65. SSL server verification parameters
    66. 

  66. .SH SYNOPSIS
    67. 

  67. .IX Header "SYNOPSIS"
    68. 

  68. .Vb 1
    69. 

  69. \& #include <openssl/ssl.h>
    70. 

  70. \&
    71. 

  71. \& int SSL_set1_host(SSL *s, const char *hostname);
    72. 

  72. \& int SSL_add1_host(SSL *s, const char *hostname);
    73. 

  73. \& void SSL_set_hostflags(SSL *s, unsigned int flags);
    74. 

  74. \& const char *SSL_get0_peername(SSL *s);
    75. 

  75. .Ve
    76. 

  76. .SH DESCRIPTION
    77. 

  77. .IX Header "DESCRIPTION"
    78. 

  78. These functions configure server hostname checks in the SSL client.
    79. 

  79. .PP
    80. 

  80. \&\fBSSL_set1_host()\fR sets the expected DNS hostname to \fBname\fR clearing
    81. 

  81. any previously specified hostname.  If \fBname\fR is NULL
    82. 

  82. or the empty string, the list of hostnames is cleared and name
    83. 

  83. checks are not performed on the peer certificate.  When a nonempty
    84. 

  84. \&\fBname\fR is specified, certificate verification automatically checks
    85. 

  85. the peer hostname via \fBX509_check_host\fR\|(3) with \fBflags\fR as specified
    86. 

  86. via \fBSSL_set_hostflags()\fR.  Clients that enable DANE TLSA authentication
    87. 

  87. via \fBSSL_dane_enable\fR\|(3) should leave it to that function to set
    88. 

  88. the primary reference identifier of the peer, and should not call
    89. 

  89. \&\fBSSL_set1_host()\fR.
    90. 

  90. .PP
    91. 

  91. \&\fBSSL_add1_host()\fR adds \fBname\fR as an additional reference identifier
    92. 

  92. that can match the peer's certificate.  Any previous names set via
    93. 

  93. \&\fBSSL_set1_host()\fR or \fBSSL_add1_host()\fR are retained, no change is made
    94. 

  94. if \fBname\fR is NULL or empty.  When multiple names are configured,
    95. 

  95. the peer is considered verified when any name matches.  This function
    96. 

  96. is required for DANE TLSA in the presence of service name indirection
    97. 

  97. via CNAME, MX or SRV records as specified in RFC7671, RFC7672 or
    98. 

  98. RFC7673.
    99. 

  99. .PP
    100. 

  100. \&\fBSSL_set_hostflags()\fR sets the \fBflags\fR that will be passed to
    101. 

  101. \&\fBX509_check_host\fR\|(3) when name checks are applicable, by default
    102. 

  102. the \fBflags\fR value is 0.  See \fBX509_check_host\fR\|(3) for the list
    103. 

  103. of available flags and their meaning.
    104. 

  104. .PP
    105. 

  105. \&\fBSSL_get0_peername()\fR returns the DNS hostname or subject CommonName
    106. 

  106. from the peer certificate that matched one of the reference
    107. 

  107. identifiers.  When wildcard matching is not disabled, the name
    108. 

  108. matched in the peer certificate may be a wildcard name.  When one
    109. 

  109. of the reference identifiers configured via \fBSSL_set1_host()\fR or
    110. 

  110. \&\fBSSL_add1_host()\fR starts with ".", which indicates a parent domain prefix
    111. 

  111. rather than a fixed name, the matched peer name may be a sub-domain
    112. 

  112. of the reference identifier.  The returned string is allocated by
    113. 

  113. the library and is no longer valid once the associated \fBssl\fR handle
    114. 

  114. is cleared or freed, or a renegotiation takes place.  Applications
    115. 

  115. must not free the return value.
    116. 

  116. .PP
    117. 

  117. SSL clients are advised to use these functions in preference to
    118. 

  118. explicitly calling \fBX509_check_host\fR\|(3).  Hostname checks may be out
    119. 

  119. of scope with the RFC7671 \fBDANE\-EE\fR\|(3) certificate usage, and the
    120. 

  120. internal check will be suppressed as appropriate when DANE is
    121. 

  121. enabled.
    122. 

  122. .SH "RETURN VALUES"
    123. 

  123. .IX Header "RETURN VALUES"
    124. 

  124. \&\fBSSL_set1_host()\fR and \fBSSL_add1_host()\fR return 1 for success and 0 for
    125. 

  125. failure.
    126. 

  126. .PP
    127. 

  127. \&\fBSSL_get0_peername()\fR returns NULL if peername verification is not
    128. 

  128. applicable (as with RFC7671 \fBDANE\-EE\fR\|(3)), or no trusted peername was
    129. 

  129. matched.  Otherwise, it returns the matched peername.  To determine
    130. 

  130. whether verification succeeded call \fBSSL_get_verify_result\fR\|(3).
    131. 

  131. .SH EXAMPLES
    132. 

  132. .IX Header "EXAMPLES"
    133. 

  133. Suppose "smtp.example.com" is the MX host of the domain "example.com".
    134. 

  134. The calls below will arrange to match either the MX hostname or the
    135. 

  135. destination domain name in the SMTP server certificate.  Wildcards
    136. 

  136. are supported, but must match the entire label.  The actual name
    137. 

  137. matched in the certificate (which might be a wildcard) is retrieved,
    138. 

  138. and must be copied by the application if it is to be retained beyond
    139. 

  139. the lifetime of the SSL connection.
    140. 

  140. .PP
    141. 

  141. .Vb 5
    142. 

  142. \& SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
    143. 

  143. \& if (!SSL_set1_host(ssl, "smtp.example.com"))
    144. 

  144. \&     /* error */
    145. 

  145. \& if (!SSL_add1_host(ssl, "example.com"))
    146. 

  146. \&     /* error */
    147. 

  147. \&
    148. 

  148. \& /* XXX: Perform SSL_connect() handshake and handle errors here */
    149. 

  149. \&
    150. 

  150. \& if (SSL_get_verify_result(ssl) == X509_V_OK) {
    151. 

  151. \&     const char *peername = SSL_get0_peername(ssl);
    152. 

  152. \&
    153. 

  153. \&     if (peername != NULL)
    154. 

  154. \&         /* Name checks were in scope and matched the peername */
    155. 

  155. \& }
    156. 

  156. .Ve
    157. 

  157. .SH "SEE ALSO"
    158. 

  158. .IX Header "SEE ALSO"
    159. 

  159. \&\fBssl\fR\|(7),
    160. 

  160. \&\fBX509_check_host\fR\|(3),
    161. 

  161. \&\fBSSL_get_verify_result\fR\|(3).
    162. 

  162. \&\fBSSL_dane_enable\fR\|(3).
    163. 

  163. .SH HISTORY
    164. 

  164. .IX Header "HISTORY"
    165. 

  165. These functions were added in OpenSSL 1.1.0.
    166. 

  166. .SH COPYRIGHT
    167. 

  167. .IX Header "COPYRIGHT"
    168. 

  168. Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
    169. 

  169. .PP
    170. 

  170. Licensed under the Apache License 2.0 (the "License").  You may not use
    171. 

  171. this file except in compliance with the License.  You can obtain a copy
    172. 

  172. in the file LICENSE in the source distribution or at
    173. 

  173. <https://www.openssl.org/source/license.html>.
    174.