On Tue, Feb 19, 2013 at 3:05 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> Â Â* It could sure use comments!Can you be more specific? This all feels like a lot of boilerplate to
me. Parse the URL, initialize OpenSSL, create some bufferevents. I'm
not sure what more I can say that a reader of bufferevent.h,
bufferevent_ssl.sh and SSL_new(3) etc. doesn't already know.
SSL_CTX_set_verify(SSL_VERIFY_PEER, NULL); sound about right to you?
> Â Â* This is dangerous code; it doesn't do any certificate validation
> so far as I can see, and as such gets zero protection from
> man-in-the-middle attacks. ÂPeople who don't know how to use TLS will
> be copying our examples here, so we need to make sure to get the
> security right.
I'm trying to figure out whether OpenSSL distributes a set of CA certs
and initializes the path or whether I need to do this myself - any