On 10-12-12 08:36, Nick Mathewson wrote: > On Sat, Dec 8, 2012 at 6:03 AM, Patrick Pelletier <ppelletier@xxxxxxxxxx> wrote: > >> However, it's not clear to me how to work the validation function >> (validate_hostname) into evhttp's control flow. It seems that I would need >> to call validate_hostname after the TLS handshake occurs, but before evhttp >> starts transferring data. But, I don't know how to get evhttp to hand over >> control to me at that time, so I can call validate_hostname. > > I might be missing something, but have you looked at > SSL_CTX_set_verify and SSL_CTX_set_verify_callback? It would appear > that openssl lets you pass it a function to be used to help validating > certificates. > > yrs, > The SSL_CTX_set_verify and SSL_CTX_set_verify_callback are used to validate the certificate (chain) itself. Useful when OpenSSL triggers a false-negative on a certificate chain, you have your own extensions build-in the certificate (think: Microsoft PKI in their deployments or RFC3281). The original question seems to be how to implement RFC2818 with libevent's evhttp. The moment to do this: ... - SSL_connect() returns without a failure - <here and other post SSL connect checks> - continue handing over the (SSL *) ... I don't know the answer to this question as I've used libevent's evhttp and libevhtp only on the server side without the need for machine to machine mutual auth (until now). As I read libevent you need to have reached the state BUFFEREVENT_SSL_OPEN and before you tie the buffers together you need to have performed this check to do the RFC2818. Oscar
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature