openssl/openssl

Make it easy to authenticate a server correctly

Open

#27.628 aperta il 15 mag 2025

Vedi su GitHub
 (2 commenti) (0 reazioni) (0 assegnatari)C (11.262 fork)batch import
branch: 3.0branch: 3.2branch: 3.3branch: 3.4branch: 3.5branch: masterhelp wantedtriaged: documentation

Metriche repository

Star
 (30.157 star)
Metriche merge PR
 (Nessuna PR mergiata in 30 g)

Descrizione

Apologies if this is a duplicate issue: I did search but couldn't find it maybe due to the wrong keywords.

Right now the basic SSL_CTX_new, SSL_new, SSL_connect series of functions doesn't authenticate the server properly, or set up SNI. To do this right requires creating an X509 verification context, configuring it, then setting the SSL to use it. People get this wrong.

Other libraries do this right: Go has tls.Dial("tcp", "www.example.com:443", nil) that Just Works (tm), and can be easily configured through the third argument. Obviously harder in in C.

What I think we want (and happy to get corrected) is SSL_set_expected_servername(SSL *s, unsigned char *dnsname) that does this whole dance for the user. This will dramatically improve the security ordinary programmers get when using OpenSSL.

Guida contributor