From 319af73f1ea928fa753aaf94d9ebbf5aeed32d73 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 31 Jul 2025 17:10:16 +0200 Subject: [PATCH] fixup! apps/cmp.c: fix use of SSL_set_tlsext_host_name() for SNI and X509_VERIFY_PARAM_set1_host() --- apps/cmp.c | 2 +- doc/man1/openssl-cmp.pod.in | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index c27f397358..59e3faf13a 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -528,7 +528,7 @@ const OPTIONS cmp_options[] = { "Trusted certificates to use for verifying the TLS server certificate;"}, {OPT_MORE_STR, 0, 0, "this implies hostname validation"}, {"tls_host", OPT_TLS_HOST, 's', - "Address to be used for SNI and to be checked during TLS hostname validation"}, + "Name (or address) to use in SNI and verify in the TLS server certificate"}, #endif OPT_SECTION("Client-side debugging"), diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 0a796a79e0..f74a99ce9f 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -115,7 +115,7 @@ TLS connection options: [B<-tls_keypass> I] [B<-tls_extra> I|I] [B<-tls_trusted> I|I] -[B<-tls_host> I
] +[B<-tls_host> I] Client-side debugging options: @@ -1030,11 +1030,11 @@ The certificate verification options B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> have no effect on the certificate verification enabled via this option. -=item B<-tls_host> I
+=item B<-tls_host> I -Address to be used for Server Name Indication (SNI) according to RFC 3546 section 3.1 -and to be checked during TLS hostname validation. -This may be a DNS name (for SNI, only this is used) or an IPv4 or IPv6 address. +Hostname or IP address to be checked in the TLS server certificate. +Usually, this is a DNS name, which is then also used for +Server Name Indication (SNI) according to RFC 3546 section 3.1. If not given it defaults to the host part of the B<-server> option URL argument. =back