Hi, I include a patch fixing the doc typos. More inline: 2012/4/10 Eric Wong : >> 2) What does it mean "hostname is required for verification"? I hope >> it does not mean that "hostname" is a required argument and it's >> matched against the CommonName field in the server certificate. That >> would be a really ugly limitation of certificate validation since >> there are other ways to validate a certificate (i.e. SubjectAltName >> fields). > > (I'm not remotely close to being an SSL expert, and kgio-monkey includes >  plenty of disclaimers :) > > The hostname should be matched against CommonName and/or SubjectAltName This is not entirely true. It is much more complex ;) I'll show you some code I wrote for my SIP proxy. It's a Ruby script that gets the SIP identities (domains) in a X.509 certificate (PEM format). The script output is self descriptive. I also attach two certificates: - oversip.net.crt: A certificate created by me with cool SIP identities in SubjectAltName. - github.crt: The certificate from github.com. Run the script passing as argument each certificate ;) And note this is just for SIP world, maybe in XMPP it's different, or in HTTP or whatever. Each protocol specification defines how a server certificate must be checked. > kgio-monkey calls SSL_set_tlsext_host_name() and > OpenSSL::SSL.verify_certificate_identity (for SubjectAltName), so one of > the methods for handling hostname verification _should_ work. Hummmm... not sure ;) Well, I will be much more happy if I can set the certification validation callback my itself ;) I've worked too much (yet) with Ruby OpenSSL bindings, but I hope that it does allow setting my own verification method. Regards. -- Iñaki Baz Castillo