[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.

On Tue, Feb 19, 2013 at 7:07 PM, Catalin Patulea <catalinp@xxxxxxxxxx> wrote:
On Tue, Feb 19, 2013 at 3:05 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> Â Â* It could sure use comments!
Can you be more specific? This all feels like a lot of boilerplate to
me. Parse the URL, initialize OpenSSL, create some bufferevents. I'm
not sure what more I can say that a reader of bufferevent.h,
bufferevent_ssl.sh and SSL_new(3) etc. doesn't already know.

> Â Â* This is dangerous code; it doesn't do any certificate validation
> so far as I can see, and as such gets zero protection from
> man-in-the-middle attacks. ÂPeople who don't know how to use TLS will
> be copying our examples here, so we need to make sure to get the
> security right.
SSL_CTX_set_verify(SSL_VERIFY_PEER, NULL); sound about right to you?

I'm trying to figure out whether OpenSSL distributes a set of CA certs

OpenSSL by itself does not distribute a list of trusted CA certificates. Assuming Debian, you could install a list of them using:
# apt-get install ca-certificates
and initializes the path or whether I need to do this myself - any

It does not do it automatically. You have a few options:
1) Load the CAs you care about and add them to a certificate store - See http://stackoverflow.com/a/3343843/298054
2) Call SSL_CTX_load_verify_locations passing the path of the CA certificates installed by the aforementioned package - generallyÂ/etc/ssl/certs/ca-certificates.crt
3) Use a combination of X509_STORE_add_lookup, X509_STORE_load_locations, X509_STORE_set_default_paths, X509_LOOKUP_load_file, and X509_STORE_add_lookup

- jw