[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] evhttp and TLS hostname validation



On 12/10/2012 03:05 AM, Patrick Pelletier wrote:
There is a SSL_CTX_set_cert_verify_callback,
but the iSECPartners document says very strongly never to use it, at the
bottom of page 2:

https://github.com/iSECPartners/ssl-conservatory/blob/master/openssl/everything-you-wanted-to-know-about-openssl.pdf?raw=true

I've decided to ignore that advice and go ahead and use it. My rationale is that if SSL_CTX_set_cert_verify_callback() is not called, then X509_verify_cert() is used as the callback (from examining the OpenSSL source code). As long as my callback calls X509_verify_cert() first, then I'm essentially "wrapping" the default behavior, rather than replacing it, so it seems like that should be safe. And this lets me insert the hostname validation at the point where it needs to be (after the entire certificate chain has been verified, rather than as each certificate in the chain gets verified, which was my issue with SSL_CTX_set_verify).

So, I think I've solved my problem now, but I do feel a little dubious about the whole thing, since I'm using functions I don't fully understand, in security-critical code, without following a known example. I'd certainly appreciate any feedback about whether I'm doing this the right way or not.

Thanks,

--Patrick

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.