[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [Libevent-users] evhttp and TLS hostname validation
On 12/10/2012 03:05 AM, Patrick Pelletier wrote:
There is a SSL_CTX_set_cert_verify_callback,
but the iSECPartners document says very strongly never to use it, at the
bottom of page 2:
https://github.com/iSECPartners/ssl-conservatory/blob/master/openssl/everything-you-wanted-to-know-about-openssl.pdf?raw=true
I've decided to ignore that advice and go ahead and use it. My
rationale is that if SSL_CTX_set_cert_verify_callback() is not called,
then X509_verify_cert() is used as the callback (from examining the
OpenSSL source code). As long as my callback calls X509_verify_cert()
first, then I'm essentially "wrapping" the default behavior, rather than
replacing it, so it seems like that should be safe. And this lets me
insert the hostname validation at the point where it needs to be (after
the entire certificate chain has been verified, rather than as each
certificate in the chain gets verified, which was my issue with
SSL_CTX_set_verify).
So, I think I've solved my problem now, but I do feel a little dubious
about the whole thing, since I'm using functions I don't fully
understand, in security-critical code, without following a known
example. I'd certainly appreciate any feedback about whether I'm doing
this the right way or not.
Thanks,
--Patrick
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users in the body.