Child pages
  • host_name_validation_flags


Contents

Web User Interface

N/A

Phone User Interface

N/A

Firmware

>=8.7.5.x

XML Configuration

<host_name_validation_flags perm="PERMISSIONFLAGS">VALIDVALUE</host_name_validation_flags>

Description

governs to which degree the use of wild cards is permitted when doing host name validation as a part of validating a server certificate. This is done by setting one or more flags. For a description of what the flags mean, see the OpenSSL documentation. The value of the flags is as follows:

0 (no flags set) --> Wildcards are supported and they match only in the left-most label; but they may match part of that label with an explicit prefix or suffix. For example the host name "www.example.com" would match a certificate with a SAN or CN value of ".example.com", "w.example.com" or "*w.example.com".

X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = 1 --> Always check subject name for host match even if subject alt names present

X509_CHECK_FLAG_NO_WILDCARDS = 2 --> Disable wildcard matching for dnsName fields and common name.

X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 4 --> Wildcards must not match a partial label.

X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = 8 --> Allow (non-partial) wildcards to match multiple labels.

X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = 16 --> Constrain verifier subdomain patterns to match a single label.

To set multiple flags add up their values.

This setting is only effective if setting Settings/check_fqdn_against_server_cert is enabled.

Valid Values

0, 1, 2, 4, 8, 16 or the sum of one or more of these values

Default Value

0

2 (in FW < 8.7.5.71 )

  • No labels