[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.



On Tue, Feb 19, 2013 at 3:05 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
>    * It could sure use comments!
Can you be more specific? This all feels like a lot of boilerplate to
me. Parse the URL, initialize OpenSSL, create some bufferevents. I'm
not sure what more I can say that a reader of bufferevent.h,
bufferevent_ssl.sh and SSL_new(3) etc. doesn't already know.

>    * This is dangerous code; it doesn't do any certificate validation
> so far as I can see, and as such gets zero protection from
> man-in-the-middle attacks.  People who don't know how to use TLS will
> be copying our examples here, so we need to make sure to get the
> security right.
SSL_CTX_set_verify(SSL_VERIFY_PEER, NULL); sound about right to you?

I'm trying to figure out whether OpenSSL distributes a set of CA certs
and initializes the path or whether I need to do this myself - any
idea?
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.