openssl/openssl

Make it easy to authenticate a server correctly

Open

#27,628 创建于 2025年5月15日

在 GitHub 查看
 (2 评论) (0 反应) (0 负责人)C (11,262 fork)batch import
branch: 3.0branch: 3.2branch: 3.3branch: 3.4branch: 3.5branch: masterhelp wantedtriaged: documentation

仓库指标

Star
 (30,157 star)
PR 合并指标
 (30 天内没有已合并 PR)

描述

Apologies if this is a duplicate issue: I did search but couldn't find it maybe due to the wrong keywords.

Right now the basic SSL_CTX_new, SSL_new, SSL_connect series of functions doesn't authenticate the server properly, or set up SNI. To do this right requires creating an X509 verification context, configuring it, then setting the SSL to use it. People get this wrong.

Other libraries do this right: Go has tls.Dial("tcp", "www.example.com:443", nil) that Just Works (tm), and can be easily configured through the third argument. Obviously harder in in C.

What I think we want (and happy to get corrected) is SSL_set_expected_servername(SSL *s, unsigned char *dnsname) that does this whole dance for the user. This will dramatically improve the security ordinary programmers get when using OpenSSL.

贡献者指南