I try to update IXSocketOpenSSL.cpp to have wss client connect to an IP address

[peterphonic]

Hello,

I discussed about this topic on the OpenSSL community mail list and they told me OpenSSL is able to validate IP addresses from the SAN. The code should looks like this (around line 785 in IXSocketOpenSSL.cpp:

#if OPENSSL_VERSION_NUMBER >= 0x10002000L
    // Support for server name verification
    // (The docs say that this should work from 1.0.2, and is the default from
    // 1.1.0, but it does not. To be on the safe side, the manual test
    // below is enabled for all versions prior to 1.1.0.)
    if (isValidIpAddress(host))
    {
       // We are connecting to an IP address.  let OpenSSL validate the
       // IP address in SAN
       X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_connection);
       X509_VERIFY_PARAM_set1_host(param, NULL, 0);
       X509_VERIFY_PARAM_set1_ip_asc(param, host.c_str());
    }
    else
    {
       SSL_set1_host(_ssl_connection, host.c_str());
       // Both CN-ID and partial wildcards are deprecated
       // Optionally, reject all wildcards via:
       //     X509_CHECK_FLAG_NO_WILDCARDS
       // See X509_check_host(3).
       //
       SSL_set_hostflags(_ssl_connection,
           X509_CHECK_FLAG_NEVER_CHECK_SUBJECT |
           X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
    }

I try to compile but the compiler complains about X509_CHECK_FLAG_NEVER_CHECK_SUBJECT and X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS. Those are declared in x509v3.h I can see at the top of the cpp file that this include is actually included only with old version of OpenSSL.

When I enable the include file for my version of OpenSSL (3.0.7), I have another error, the compiler now complains in line 181 from file x509v3.h. I think he doesn't like X509_NAME.

SO, my question is, is anyone know if I should be able to use x509v3.h include with OpenSSL 3.0.7 or how I could use flags above?

Thank you.