[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] evhttp and TLS hostname validation



On 10-12-12 08:36, Nick Mathewson wrote:
> On Sat, Dec 8, 2012 at 6:03 AM, Patrick Pelletier <ppelletier@xxxxxxxxxx> wrote:
> 
>> However, it's not clear to me how to work the validation function
>> (validate_hostname) into evhttp's control flow.  It seems that I would need
>> to call validate_hostname after the TLS handshake occurs, but before evhttp
>> starts transferring data.  But, I don't know how to get evhttp to hand over
>> control to me at that time, so I can call validate_hostname.
> 
> I might be missing something, but have you looked at
> SSL_CTX_set_verify and SSL_CTX_set_verify_callback? It would appear
> that openssl lets you pass it a function to be used to help validating
> certificates.
> 
> yrs,
> 

The SSL_CTX_set_verify and SSL_CTX_set_verify_callback are used to validate
the certificate (chain) itself. Useful when OpenSSL triggers a
false-negative on a certificate chain, you have your own extensions build-in
the certificate (think: Microsoft PKI in their deployments or RFC3281).

The original question seems to be how to implement RFC2818 with libevent's
evhttp.

The moment to do this:
...
- SSL_connect() returns without a failure
- <here and other post SSL connect checks>
- continue handing over the (SSL *)
...

I don't know the answer to this question as I've used libevent's evhttp and
libevhtp only on the server side without the need for machine to machine
mutual auth (until now).

As I read libevent you need to have reached the state BUFFEREVENT_SSL_OPEN
and before you tie the buffers together you need to have performed this
check to do the RFC2818.


	Oscar


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature