Re: [Libevent-users] evhttp and TLS hostname validation

[Patrick Pelletier <ppelletier@xxxxxxxxxx>]

On 12/10/2012 03:05 AM, Patrick Pelletier wrote:
> There is a SSL_CTX_set_cert_verify_callback,
> but the iSECPartners document says very strongly never to use it, at the
> bottom of page 2:
>
> https://github.com/iSECPartners/ssl-conservatory/blob/master/openssl/everything-you-wanted-to-know-about-openssl.pdf?raw=true

I've decided to ignore that advice and go ahead and use it.  My 
rationale is that if SSL_CTX_set_cert_verify_callback() is not called, 
then X509_verify_cert() is used as the callback (from examining the 
OpenSSL source code).  As long as my callback calls X509_verify_cert() 
first, then I'm essentially "wrapping" the default behavior, rather than 
replacing it, so it seems like that should be safe.  And this lets me 
insert the hostname validation at the point where it needs to be (after 
the entire certificate chain has been verified, rather than as each 
certificate in the chain gets verified, which was my issue with 
SSL_CTX_set_verify).

So, I think I've solved my problem now, but I do feel a little dubious 
about the whole thing, since I'm using functions I don't fully 
understand, in security-critical code, without following a known 
example.  I'd certainly appreciate any feedback about whether I'm doing 
this the right way or not.

Thanks,

--Patrick

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.