gnutls_x509_crt_check_hostname2 - API function
cert, const char * hostname, unsigned int
- gnutls_x509_crt_t cert
- should contain an gnutls_x509_crt_t type
- const char * hostname
- A null terminated string that contains a DNS name
- unsigned int flags
This function will check if the given certificate's subject matches the given
hostname. This is a basic implementation of the matching described in RFC6125,
and takes into account wildcards, and the DNSName/IPAddress subject
alternative name PKIX extension.
IPv4 addresses are accepted by this function in the dotted-decimal format (e.g,
ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal x:x:x:x:x:x:x:x
format. For them the IPAddress subject alternative name extension is
consulted. Previous versions to 3.6.0 of GnuTLS in case of a non-match would
consult (in a non-standard extension) the DNSname and CN fields. This is no
longer the case.
When the flag GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS
is specified no
wildcards are considered. Otherwise they are only considered if the domain
name consists of three components or more, and the wildcard starts at the
leftmost position. When the flag GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES
is specified, the input will be treated as a DNS name, and matching of textual
IP addresses against the IPAddress part of the alternative name will not be
The function gnutls_x509_crt_check_ip()
is available for matching IP
non-zero for a successful match, and zero on failure.
Report bugs to <firstname.lastname@example.org>.
Home page: https://www.gnutls.org
Copyright © 2001-2019 Free Software Foundation, Inc., and others.
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and this
notice are preserved.
The full documentation for gnutls
is maintained as a Texinfo manual. If
the /usr/share/doc/gnutls/ directory does not contain the HTML form visit