Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent

Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.

To: libevent-users@xxxxxxxxxxxxx

Subject: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.

From: Jardel Weyrich <jweyrich@xxxxxxxxx>

Date: Tue, 19 Feb 2013 23:40:45 -0300

Cc: Patrick Pelletier <ppelletier@xxxxxxxxxx>

Delivered-to: archiver@xxxxxxxx

Delivered-to: libevent-users-outgoing@xxxxxxxx

Delivered-to: libevent-users@xxxxxxxx

Delivery-date: Tue, 19 Feb 2013 21:41:32 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=T9pA3wIIHxEp/rmVnDndDu9Oeot+ggcAcszj6YG9ajI=; b=BDCXwq9kyhnXsfQwLTV6lSbykqLf83VaZouUM2yzgTzOyv+kEWaN/pwashUNXV2Aiz wDQ3jJWfN3W3t3mYla6yYoZBlKKJrSu6ErJlU5XwBUzyXQjI70FeX86EN2HyXDJg+AAm s+buMvNQneWl+ocG0HkFwYcw5vAtmCVdg3sbTy2FXUbWjEmn9VwLVBt3Ye3nc0z/TYN6 7ir3LujSnnIwr0QDzm05KO43O/QHNSz/HO7d/KlAAImWaa/hYStWCSlK9GXB0Txv4zQw Ya0iyvyWVB/wxH5f9Qaeeh7a2EA9XaXv96d/hEude03PQyYq0+jwjGhRpK3a+rAMM/yA bLLw==

In-reply-to: <CAJB0wA85yDMgJuWOEwzAgmO5QFD1PqdaP=mcM5dxgAjEk=J=BA@xxxxxxxxxxxxxx>

References: <1361294551-21026-1-git-send-email-catalinp@xxxxxxxxxx> <CAKDKvuwG_1631y5X+i_HRs=S5iOEoQu-ifmqu9cMPs=9hV-Tkg@xxxxxxxxxxxxxx> <CAJB0wA85yDMgJuWOEwzAgmO5QFD1PqdaP=mcM5dxgAjEk=J=BA@xxxxxxxxxxxxxx>

Reply-to: libevent-users@xxxxxxxxxxxxx

Sender: owner-libevent-users@xxxxxxxxxxxxx

On Tue, Feb 19, 2013 at 7:07 PM, Catalin Patulea <catalinp@xxxxxxxxxx> wrote:

On Tue, Feb 19, 2013 at 3:05 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:

> Â Â* It could sure use comments!

Can you be more specific? This all feels like a lot of boilerplate to
me. Parse the URL, initialize OpenSSL, create some bufferevents. I'm
not sure what more I can say that a reader of bufferevent.h,
bufferevent_ssl.sh and SSL_new(3) etc. doesn't already know.

> Â Â* This is dangerous code; it doesn't do any certificate validation
> so far as I can see, and as such gets zero protection from
> man-in-the-middle attacks. ÂPeople who don't know how to use TLS will
> be copying our examples here, so we need to make sure to get the
> security right.

SSL_CTX_set_verify(SSL_VERIFY_PEER, NULL); sound about right to you?

I'm trying to figure out whether OpenSSL distributes a set of CA certs

OpenSSL by itself does not distribute a list of trusted CA certificates. Assuming Debian, you could install a list of them using:

# apt-get install ca-certificates

and initializes the path or whether I need to do this myself - any
idea?

It does not do it automatically. You have a few options:

1) Load the CAs you care about and add them to a certificate store - See http://stackoverflow.com/a/3343843/298054

2) Call SSL_CTX_load_verify_locations passing the path of the CA certificates installed by the aforementioned package - generallyÂ/etc/ssl/certs/ca-certificates.crt

3) Use a combination of X509_STORE_add_lookup, X509_STORE_load_locations, X509_STORE_set_default_paths, X509_LOOKUP_load_file, and X509_STORE_add_lookup

- jw