verify_server_name

Specifies a semi-colon separated list of DNS names to use in peer name verification, or disables peer name verification.

verify_server_name | vfy_srv_nm = Type:PeerName{; TypeN:PeerNameN} | {no | n | 0}

Arguments

  • Type:—keyword that specifies the type or format of the following peer name; one of DNS, IP, URI, or Email. The keyword is case-insensitive.
  • PeerName—peer name of the specified type, for example ABC0123.mycompany.com (DNS), 123.0.2.34 (IP), urn:uniface:urouter:10.3.01 (URI), or info@mycompany.com (email).

Use

Set this option in the client assignment file. It is applicable only when the verify_server is yes.

Description

Peer name verification is automatically enabled when server verification is enabled.

You can provide multiple DNS, IP, URI and Email items in the list of names. Names specified by verify_server_name must be preceded by a matching prefix, for example, dns:abc.mycompany.com or IP:197.68.0.1.

When trying to match a peer name against a name in the certificate, the TLS connector checks the name against the Subject Alternative Names of that type. If any name specified by verify_server_name matches a name in the certificate, the validation succeeds and the connection is established.

If a DNS name or IP address is specified and no match is found in the Subject Alternative Names, the Subject Common Name field is also checked.

For URIs, the TLS connector performs a case-insensitive comparison of the whole string against the Subject Alternative Names of type URI. A URI can be a URL (location) or URN (name) of a resource. It cannot include commas and semi-colons, which are used as separators in Uniface.

An Email address is checked against the Subject Alternative Names of type Email address, and against the Subject emailAddress.

DNS names may contain an asterisk (*) as wildcard in the left-most segment of the name, representing the host name.

IPv6 addresses that appear different but are equivalent, such as 0::1 and ::1, will match.

If the verify_server_name option is omitted from the TLS client assignment file, the host name specified in the path that uses that particular TLS profile will be used as the peer name to verify against the certificate of the TLS server.

If the hostname in the path is simply a name that requires a DNS lookup, it will be compared as if it is type DNS. If the hostname is an IP address, it will be compared as type IP.

If the path does not contain a host name, the host name in $DEFAULT_NET or $DEFAULT_TCP_HOST is used.

If these settings also do not specify a host name, then the TLS driver will get the host name from the system.

For example:

[PATHS]
$SRV1 TLS:ABC0123.mycompany+13001:Srv1Cert|username|password|SRV1

Specifying Names for Server Peer Verification

;client.asn
 [NET_SETTINGS]
 CheckServer=verify_server=yes, ca_certificate=servercert.crt, %\
             verify_server_name=dns:*.mycompany.com; IP:197.68.0.1;%\
	       dns:garlic.my_company.com ; Email:myemail@mycompany.com

Disabling Server Name Verification

You can disable server name verification by specifying verify_server_name = no (or 0). 

;client.asn
 [NET_SETTINGS]
 CheckServer=verify_server=yes, verify_server_name=no, ca_certificate=clcert.crt