diff options
author | Viktor Dukhovni <ietf-dane@dukhovni.org> | 2014-07-06 01:47:29 +1000 |
---|---|---|
committer | Viktor Dukhovni <ietf-dane@dukhovni.org> | 2014-07-06 01:50:50 +1000 |
commit | ced3d9158a7a8c676be504bb6cd3b5ffb7cc7f13 (patch) | |
tree | 5378db291b7a10706d1dcb3c25b92b54c7df2bec /doc | |
parent | 6e661d458f5aa8f52bf3d9098bd10025de5f08ea (diff) |
Set optional peername when X509_check_host() succeeds.
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/crypto/X509_check_host.pod | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod index 113861d46d..87ea54303a 100644 --- a/doc/crypto/X509_check_host.pod +++ b/doc/crypto/X509_check_host.pod @@ -9,7 +9,7 @@ X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc - X.509 cert #include <openssl/x509.h> int X509_check_host(X509 *, const unsigned char *name, - size_t namelen, unsigned int flags); + size_t namelen, unsigned int flags, char **peername); int X509_check_email(X509 *, const unsigned char *address, size_t addresslen, unsigned int flags); int X509_check_ip(X509 *, const unsigned char *address, @@ -32,11 +32,16 @@ characters in the name string or zero in which case the length is calculated with strlen(name). When B<name> starts with a dot (e.g ".example.com"), it will be matched by a certificate valid for any sub-domain of B<name>, (see also B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> -below). Applications are strongly advised to use -X509_VERIFY_PARAM_set1_host() in preference to explicitly calling -L<X509_check_host(3)>, hostname checks are out of scope with the -DANE-EE(3) certificate usage, and the internal check will be -suppressed as appropriate when DANE support is added to OpenSSL. +below). When the certificate is matched and B<peername> is not +NULL a pointer to a copy of the matching hostname or CommonName +from the peer certificate is stored at the address passed in +B<peername>. The application is responsible for freeing the peername +via OPENSSL_free() when it is no longer needed. Applications are +advised to use X509_VERIFY_PARAM_set1_host() in preference to +explicitly calling L<X509_check_host(3)>, hostname checks are out +of scope with the DANE-EE(3) certificate usage, and the internal +check will be suppressed as appropriate when DANE support is added +to OpenSSL. X509_check_email() checks if the certificate matches the specified email address. Only the mailbox syntax of RFC 822 is supported, |