[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.

To: libevent-users@xxxxxxxxxxxxx, Patrick Pelletier <ppelletier@xxxxxxxxxx>
Subject: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
Date: Tue, 19 Feb 2013 15:26:34 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: libevent-users-outgoing@xxxxxxxx
Delivered-to: libevent-users@xxxxxxxx
Delivery-date: Tue, 19 Feb 2013 15:26:39 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=OL3XFIFh52e/hxnNCJFYv3AFHuuMjNqENxfYB+edNxc=; b=J36h4OfHdZYyZ4zdKGyls1z+Bm6jdJ3I5UfhCTZmHzZPNby7MYdYMOpswkDYUZC7ZS 8qJ2TC8BQUGGS1usxWiBUrOWTt2Vbgmq2y6FSjGhleXMF235cl6DbkERclYHaI+6t3Va gm0WySY/66BSH+VeITp+weIk+rdsxIlC58vhNGc6OqDQrZou/kKYCvJ+BytmU6F6/Wgi 6722OvnlnaG0oo/gLXRaL9YY3LUGfSIsAu/0QGa4sWI9YWBT4ubsy8nkcXyWNdHmqpBr wgL7Ogfe6WyTmetpsEK4m2vTAnyluRq0K88ogdtum2KzYgolRjKPmfhGTAcuGY46UULr OR4g==
In-reply-to: <CAKDKvuwG_1631y5X+i_HRs=S5iOEoQu-ifmqu9cMPs=9hV-Tkg@xxxxxxxxxxxxxx>
References: <1361294551-21026-1-git-send-email-catalinp@xxxxxxxxxx> <CAKDKvuwG_1631y5X+i_HRs=S5iOEoQu-ifmqu9cMPs=9hV-Tkg@xxxxxxxxxxxxxx>
Reply-to: libevent-users@xxxxxxxxxxxxx
Sender: owner-libevent-users@xxxxxxxxxxxxx

On Tue, Feb 19, 2013 at 3:05 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> On Tue, Feb 19, 2013 at 12:22 PM, Catalin Patulea <catalinp@xxxxxxxxxx> wrote:
>>
>> Signed-off-by: Catalin Patulea <catalinp@xxxxxxxxxx>
>> ---
>>  .gitignore            |   1 +
>>  sample/https-client.c | 207 ++++++++++++++++++++++++++++++++++++++++++++++++++
>>  sample/include.am     |   5 ++
>>  3 files changed, 213 insertions(+)
>>  create mode 100644 sample/https-client.c
>>
>
> Looks like a good start!
>
> Patrick, do you have time to have a look at this?  I'm hoping you'll
> have some ideas of whether or not this is the right way to write this.
>
>
> Some initial comments:
>
>    * It could sure use comments!
>
>    * This is dangerous code; it doesn't do any certificate validation
> so far as I can see, and as such gets zero protection from
> man-in-the-middle attacks.  People who don't know how to use TLS will
> be copying our examples here, so we need to make sure to get the
> security right.

Oh dear.  It looks like le-proxy.c has the same issue with not doing
certificate validation.  We should fix that too, before anybody
decides that reading le-proxy.c is a substitute for learning the
OpenSSL API and shoots themselves in the foot. :p

-- 
Nick
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.

References:
- [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Catalin Patulea
- Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Nick Mathewson

Prev by Author: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
Next by Author: Re: [Libevent-users] use windows threads leak
Previous by thread: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
Next by thread: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
Index(es):
- Author
- Thread