From 2dce98682ff8b7337bc6963a61185ea7cf5142b8 Mon Sep 17 00:00:00 2001 From: schwarze <> Date: Thu, 17 Sep 2020 08:04:22 +0000 Subject: Install the new page SSL_set1_host(3), link to it from relevant places, and add two other .Xrs that might help readers find their way. Update the merge notices of all files touched and merge a few trivial changes from the OpenSSL 1.1.1 branch. OK tb@ --- src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 | 9 +++++---- src/lib/libcrypto/man/X509_check_host.3 | 15 +++++++++------ 2 files changed, 14 insertions(+), 10 deletions(-) (limited to 'src/lib/libcrypto/man') diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index 5e45278604..33cca3b4b3 100644 --- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.14 2018/04/07 13:57:43 jmc Exp $ +.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.15 2020/09/17 08:04:22 schwarze Exp $ .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500 -.\" selective merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 +.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: @@ -68,7 +68,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 7 2018 $ +.Dd $Mdocdate: September 17 2020 $ .Dt X509_VERIFY_PARAM_SET_FLAGS 3 .Os .Sh NAME @@ -337,7 +337,7 @@ in a chain. .Fn X509_VERIFY_PARAM_set1_host sets the expected DNS hostname to .Fa name -clearing any previously specified host name or names. +clearing any previously specified hostname or names. If .Fa name is @@ -693,6 +693,7 @@ SSL_CTX_set1_param(ctx, param); X509_VERIFY_PARAM_free(param); .Ed .Sh SEE ALSO +.Xr SSL_set1_host 3 , .Xr SSL_set1_param 3 , .Xr X509_check_host 3 , .Xr X509_STORE_CTX_set0_param 3 , diff --git a/src/lib/libcrypto/man/X509_check_host.3 b/src/lib/libcrypto/man/X509_check_host.3 index a2c91af1ad..dbc56c0d21 100644 --- a/src/lib/libcrypto/man/X509_check_host.3 +++ b/src/lib/libcrypto/man/X509_check_host.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: X509_check_host.3,v 1.5 2019/08/23 12:23:39 schwarze Exp $ -.\" full merge up to: OpenSSL 6738bf14 Feb 13 12:51:29 2018 +0000 +.\" $OpenBSD: X509_check_host.3,v 1.6 2020/09/17 08:04:22 schwarze Exp $ +.\" full merge up to: OpenSSL a09e4d24 Jun 12 01:56:31 2014 -0400 +.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 .\" .\" This file was written by Florian Weimer and .\" Viktor Dukhovni . @@ -50,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 23 2019 $ +.Dd $Mdocdate: September 17 2020 $ .Dt X509_CHECK_HOST 3 .Os .Sh NAME @@ -91,13 +92,13 @@ .Fc .Sh DESCRIPTION The certificate matching functions are used to check whether a -certificate matches a given host name, email address, or IP address. +certificate matches a given hostname, email address, or IP address. The validity of the certificate and its trust level has to be checked by other means. .Pp .Fn X509_check_host checks if the certificate Subject Alternative Name (SAN) or Subject -CommonName (CN) matches the specified host name, which must be encoded +CommonName (CN) matches the specified hostname, which must be encoded in the preferred name syntax described in section 3.5 of RFC 1034. By default, wildcards are supported and they match only in the left-most label; they may match part of that label with an @@ -234,9 +235,11 @@ returns -2 if the provided .Fa name contains embedded NUL bytes. .Sh SEE ALSO +.Xr SSL_set1_host 3 , .Xr X509_EXTENSION_new 3 , .Xr X509_get1_email 3 , -.Xr X509_new 3 +.Xr X509_new 3 , +.Xr X509_VERIFY_PARAM_set1_host 3 .Sh HISTORY These functions first appeared in OpenSSL 1.0.2 and have been available since -- cgit v1.2.3-55-g6feb