[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.

On Wed, Feb 20, 2013 at 10:26 PM, Jardel Weyrich <jweyrich@xxxxxxxxx> wrote:
> On Wed, Feb 20, 2013 at 9:03 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
>>
>> On Wed, Feb 20, 2013 at 12:42 PM, Catalin Patulea <catalinp@xxxxxxxxxx>
>> wrote:
>> > On Tue, Feb 19, 2013 at 9:40 PM, Jardel Weyrich <jweyrich@xxxxxxxxx>
>> > wrote:
>> >> 2) Call SSL_CTX_load_verify_locations passing the path of the CA
>> >> certificates installed by the aforementioned package - generally
>> >> /etc/ssl/certs/ca-certificates.crt
>> > Nick, does this seem like a reasonable solution?
>> >
>> > SSL_CTX_load_verify_locations(ssl_ctx,
>> > "/etc/ssl/certs/ca-certificates.crt", NULL);
>>
>> Seems like it could work fine for an initial attempt.  Of course, it
>> needs to check for errors and report them if they occur.
>
>
> Even though libevent cannot assume that file exists - it would have to ship
> it, or an alternative to it.

Yeah.

> Are we talking about the test case?

This is for a new entry in samples/, which is supposed to be sample
"how to use libevent" code.

> If yes, another option would be to
> generate some certificates - 2 CAs, plus 2 certs per CA (1 valid, 1
> expired), and 2 extra self-signed certs. It's likely that more certs are
> needed to cover all possible scenarios. Lengthy work, but can be done.
>
> With this in mind, will libevent try to cover all possibilities in a test
> case?

It might be a good idea to have a test case for all of this too.

>> Also, in addition to this and SSL_verify, I think you may need to call
>> SSL_get_certificate_status() [or whatever it's called] and
>> SSL_get_peer_certificate() in some combination,
>
>
> By SSL_get_certificate_status, do you mean checking whether the certificate
> is valid (not expired, not revoked, etc)?

Ah, yeah. You need to check the validity dates too. :/

But what I meant was the SSL_get_verify result function.

>> and check that the
>> hostname in the cert matches the hostname you're trying to connect to
>> -- unless *think* openssl does this for you?
>
>
> There's X509_check_host for that, but I'm really not sure whether it's
> enough or not.
> Might be a good idea to check how Chromium does that.

I thought Chromium used NSS?

   [...]
> AFAIK, it has no callback support for this kind of "automatic error
> reporting", except for SSL_set_info_callback, which sets a callback to
> report errors and state changes for a given SSL connection. FWIW, Tor uses
> it (see src/common/tortls.c).

Yeah, I wrote that code.  I wouldn't recommend SSL_set_info_callback,
though: it is a huge can of worms.

-- 
Nick
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.