gnutls_x509_crt_check_hostname2 man page

gnutls_x509_crt_check_hostname2 — API function


#include <gnutls/x509.h>

unsigned gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, const char * hostname, unsigned int flags);


gnutls_x509_crt_t cert

should contain an gnutls_x509_crt_t type

const char * hostname

A null terminated string that contains a DNS name

unsigned int flags



This function will check if the given certificate's subject matches the given hostname.  This is a basic implementation of the matching described in RFC6125, and takes into account wildcards, and the DNSName/IPAddress subject alternative name PKIX extension.

IPv4 addresses are accepted by this function in the dotted-decimal format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative name extension is consulted. Previous versions to 3.6.0 of GnuTLS in case of a non-match would consult (in a non-standard extension) the DNSname and CN fields. This is no longer the case.

When the flag GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS is specified no wildcards are considered. Otherwise they are only considered if the domain name consists of three components or more, and the wildcard starts at the leftmost position. When the flag GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES is specified, the input will be treated as a DNS name, and matching of textual IP addresses against the IPAddress part of the alternative name will not be allowed.

The function gnutls_x509_crt_check_ip() is available for matching IP addresses.


non-zero for a successful match, and zero on failure.



Reporting Bugs

Report bugs to <>.
Home page:

See Also

The full documentation for gnutls is maintained as a Texinfo manual. If the /usr/share/doc/gnutls/ directory does not contain the HTML form visit


3.6.0 gnutls