=head1 SYNOPSIS
- #include <openssl/x509.h>
+ #include <openssl/x509v3.h>
int X509_check_host(X509 *, const char *name, size_t namelen,
unsigned int flags, char **peername);
=head1 DESCRIPTION
The certificate matching functions are used to check whether a
-certificate matches a given host name, email address, or IP address.
+certificate matches a given hostname, email address, or IP address.
The validity of the certificate and its trust level has to be checked by
other means.
X509_check_host() checks if the certificate Subject Alternative
-Name (SAN) or Subject CommonName (CN) matches the specified host
-name, which must be encoded in the preferred name syntax described
+Name (SAN) or Subject CommonName (CN) matches the specified hostname,
+which must be encoded in the preferred name syntax described
in section 3.5 of RFC 1034. By default, wildcards are supported
and they match only in the left-most label; but they may match
part of that label with an explicit prefix or suffix. For example,
domain names must be given in A-label form. The B<namelen> argument
must be the number of characters in the name string or zero in which
case the length is calculated with strlen(B<name>). When B<name> starts
-with a dot (e.g ".example.com"), it will be matched by a certificate
+with a dot (e.g. ".example.com"), it will be matched by a certificate
valid for any sub-domain of B<name>, (see also
B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> below).
is no longer needed.
X509_check_email() checks if the certificate matches the specified
-email B<address>. Only the mailbox syntax of RFC 822 is supported,
+email B<address>. The mailbox syntax of RFC 822 is supported,
comments are not allowed, and no attempt is made to normalize quoted
-characters. The B<addresslen> argument must be the number of
+characters. The mailbox syntax of RFC 6531 is supported for
+SmtpUTF8Mailbox address in subjectAltName according to RFC 8398,
+with similar limitations as for RFC 822 syntax, and no attempt
+is made to convert from A-label to U-label before comparison.
+The B<addresslen> argument must be the number of
characters in the address string or zero in which case the length
is calculated with strlen(B<address>).
IPv6 address. The B<address> array is in binary format, in network
byte order. The length is either 4 (IPv4) or 16 (IPv6). Only
explicitly marked addresses in the certificates are considered; IP
-addresses stored in DNS names and Common Names are ignored.
+addresses stored in DNS names and Common Names are ignored. There are
+currently no B<flags> that would affect the behavior of this call.
X509_check_ip_asc() is similar, except that the NUL-terminated
string B<address> is first converted to the internal representation.
names of the right type (DNS name or email address as appropriate); the default
is to use the subject DN when no corresponding subject alternative names are
present.
+If both B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> and
+B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> are specified, the latter takes
+precedence and the subject DN is not checked for matching names.
If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
expansion; this only applies to B<X509_check_host>.
=head1 NOTES
Applications are encouraged to use X509_VERIFY_PARAM_set1_host()
-rather than explicitly calling L<X509_check_host(3)>. Host name
-checks are out of scope with the DANE-EE(3) certificate usage,
+rather than explicitly calling L<X509_check_host(3)>. Hostname
+checks may be out of scope with the DANE-EE(3) certificate usage,
and the internal checks will be suppressed as appropriate when
-DANE support is added to OpenSSL.
+DANE support is enabled.
=head1 SEE ALSO
L<X509_VERIFY_PARAM_set1_host(3)>,
L<X509_VERIFY_PARAM_add1_host(3)>,
L<X509_VERIFY_PARAM_set1_email(3)>,
-L<X509_VERIFY_PARAM_set1_ip(3)>,
-L<X509_VERIFY_PARAM_set1_ipasc(3)>
+L<X509_VERIFY_PARAM_set1_ip(3)>
=head1 HISTORY
=head1 COPYRIGHT
-Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved.
-Licensed under the OpenSSL license (the "License"). You may not use
+Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.