Bug #123912 for Net-SSLeay: Patch: X509_VERIFY_PARAM_set_flags related functions, constants and updates

Mon Dec 18 13:31:32 2017 hvn [...] open.com.au - Ticket created

Subject:	Patch: X509_VERIFY_PARAM_set_flags related functions, constants and updates
Date:	Mon, 18 Dec 2017 20:29:55 +0200
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Heikki Vatiainen <hvn [...] open.com.au>

This patch new functions for certificate verification introduced in OpenSSL 1.02, a number of constants, new test data files, new tests and updates to .pod documentation. The new functions provide access to the built-in wildcard check functionality available in OpenSSL 1.0.2 and later. Please consider including these in next release. Thanks, Heikki * Added more functions that manipulate X509_VERIFY_PARAM structure associated with certificate verification. These functions were introduced in OpenSSL 1.0.2. - SSL_CTX_get0_param - SSL_get0_param - X509_VERIFY_PARAM_set1_host - X509_VERIFY_PARAM_add1_host - X509_VERIFY_PARAM_set_hostflags - X509_VERIFY_PARAM_get0_peername - X509_VERIFY_PARAM_set1_email - X509_VERIFY_PARAM_set1_ip - X509_VERIFY_PARAM_set1_ip_asc Added the new functions in SSLeay.pod Added one X509_check_host() constant introduced in OpenSSL 1.1.0 - X509_CHECK_FLAG_NEVER_CHECK_SUBJECT * Added flags for X509_VERIFY_PARAM structure. These flags are present in many recent LibreSSL and OpenSSL releases. - X509_V_FLAG_NO_ALT_CHAINS - X509_V_FLAG_NO_CHECK_TIME - X509_V_FLAG_PARTIAL_CHAIN - X509_V_FLAG_SUITEB_128_LOS - X509_V_FLAG_SUITEB_128_LOS_ONLY - X509_V_FLAG_SUITEB_192_LOS * Added all X509_V_ERR_ constants returned by get_verify_result() and documented in verify(1). The constant list was obtained from the upcoming OpenSSL 1.1.1 development repository. * Added more tests to t/local/36_verify.t. Added tests for various X509_VERIFY_PARAM_ tests such as X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_set1_ip and X509_VERIFY_PARAM_add0_policy. Wildcard mathing control flags are tested for disabling wildcards. Other flags are not tested yet. Noticed that X509_VERIFY_PARAM_get0_peername always returns undef with OpenSSL 1.0.2 but works with 1.1.0 and later. Reason for this is not known yet. * Added testcert_wildcard.conf in test data directory. This file contains instructions and configuration for creating a certificate with a wildcard name and some extensions to test. * Added wildcard certificate and respective private key for testing in test data directory. -- Heikki Vatiainen <hvn@open.com.au>

Message body is not shown because sender requested not to inline it.

Fri Dec 22 16:36:55 2017 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #123912] Patch: X509_VERIFY_PARAM_set_flags related functions, constants and updates
Date:	Sat, 23 Dec 2017 07:36:38 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Thanks Heikki, Your patch is now in SVN 511 Cheers. On Tuesday, 19 December 2017 04:31:34 AEST you wrote: Show quoted text

> Mon Dec 18 13:31:32 2017: Request 123912 was acted upon. > Transaction: Ticket created by hvn@open.com.au > Queue: Net-SSLeay > Subject: Patch: X509_VERIFY_PARAM_set_flags related functions, > constants and updates Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: hvn@open.com.au > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=123912 > > > > This patch new functions for certificate verification introduced in > OpenSSL 1.02, a number of constants, new test data files, new tests and > updates to .pod documentation. > > The new functions provide access to the built-in wildcard check > functionality available in OpenSSL 1.0.2 and later. > > Please consider including these in next release. > > Thanks, > Heikki > > > * Added more functions that manipulate X509_VERIFY_PARAM > structure associated with certificate verification. These > functions were introduced in OpenSSL 1.0.2. > - SSL_CTX_get0_param > - SSL_get0_param > > - X509_VERIFY_PARAM_set1_host > - X509_VERIFY_PARAM_add1_host > - X509_VERIFY_PARAM_set_hostflags > - X509_VERIFY_PARAM_get0_peername > - X509_VERIFY_PARAM_set1_email > - X509_VERIFY_PARAM_set1_ip > - X509_VERIFY_PARAM_set1_ip_asc > > Added the new functions in SSLeay.pod > > Added one X509_check_host() constant introduced in OpenSSL 1.1.0 > - X509_CHECK_FLAG_NEVER_CHECK_SUBJECT > > * Added flags for X509_VERIFY_PARAM structure. > These flags are present in many recent LibreSSL and OpenSSL > releases. > > - X509_V_FLAG_NO_ALT_CHAINS > - X509_V_FLAG_NO_CHECK_TIME > - X509_V_FLAG_PARTIAL_CHAIN > - X509_V_FLAG_SUITEB_128_LOS > - X509_V_FLAG_SUITEB_128_LOS_ONLY > - X509_V_FLAG_SUITEB_192_LOS > > * Added all X509_V_ERR_ constants returned by get_verify_result() > and documented in verify(1). > > The constant list was obtained from the upcoming OpenSSL 1.1.1 > development repository. > > * Added more tests to t/local/36_verify.t. > > Added tests for various X509_VERIFY_PARAM_ tests such as > X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_set1_ip and > X509_VERIFY_PARAM_add0_policy. > > Wildcard mathing control flags are tested for disabling > wildcards. Other flags are not tested yet. > > Noticed that X509_VERIFY_PARAM_get0_peername always returns undef > with OpenSSL 1.0.2 but works with 1.1.0 and later. Reason for this > is not known yet. > > * Added testcert_wildcard.conf in test data directory. > > This file contains instructions and configuration for creating > a certificate with a wildcard name and some extensions to test. > > * Added wildcard certificate and respective private key for > testing in test data directory.

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Fri Dec 22 16:36:57 2017 The RT System itself - Status changed from 'new' to 'open'

Sun Jul 08 20:39:36 2018 chrisn [...] cpan.org - Status changed from 'open' to 'resolved'

Sun Jul 08 20:39:36 2018 chrisn [...] cpan.org - Given to MIKEM

Sun Jul 08 20:39:36 2018 chrisn [...] cpan.org - Fixed in 1.83 added