1 files changed, 38 insertions, 0 deletions

diff --git a/doc/functions/gnutls_x509_crt_check_hostname2 b/doc/functions/gnutls_x509_crt_check_hostname2
new file mode 100644
index 0000000..ffac35b
--- /dev/null
+++ b/doc/functions/gnutls_x509_crt_check_hostname2
@@ -0,0 +1,38 @@
+
+
+
+
+@deftypefun {unsigned} {gnutls_x509_crt_check_hostname2} (gnutls_x509_crt_t @var{cert}, const char * @var{hostname}, unsigned int @var{flags})
+@var{cert}: should contain an gnutls_x509_crt_t type
+
+@var{hostname}: A null terminated string that contains a DNS name
+
+@var{flags}: gnutls_certificate_verify_flags
+
+This function will check if the given certificate's subject matches
+the given hostname.  This is a basic implementation of the matching
+described in RFC6125, and takes into account wildcards,
+and the DNSName/IPAddress subject alternative name PKIX extension.
+
+IPv4 addresses are accepted by this function in the dotted-decimal
+format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal
+x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative
+name extension is consulted. Previous versions to 3.6.0 of GnuTLS
+in case of a non-match would consult (in a non-standard extension)
+the DNSname and CN fields. This is no longer the case.
+
+When the flag @code{GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS}  is specified no
+wildcards are considered. Otherwise they are only considered if the
+domain name consists of three components or more, and the wildcard
+starts at the leftmost position.
+When the flag @code{GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES}  is specified,
+the input will be treated as a DNS name, and matching of textual IP addresses
+against the IPAddress part of the alternative name will not be allowed.
+
+The function @code{gnutls_x509_crt_check_ip()}  is available for matching
+IP addresses.
+
+@strong{Returns:} non-zero for a successful match, and zero on failure.
+
+@strong{Since:} 3.3.0
+@end deftypefun