[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.

On Wed, Feb 20, 2013 at 12:42 PM, Catalin Patulea <catalinp@xxxxxxxxxx> wrote:
> On Tue, Feb 19, 2013 at 9:40 PM, Jardel Weyrich <jweyrich@xxxxxxxxx> wrote:
>> 2) Call SSL_CTX_load_verify_locations passing the path of the CA
>> certificates installed by the aforementioned package - generally
>> /etc/ssl/certs/ca-certificates.crt
> Nick, does this seem like a reasonable solution?
> SSL_CTX_load_verify_locations(ssl_ctx,
> "/etc/ssl/certs/ca-certificates.crt", NULL);

Seems like it could work fine for an initial attempt.  Of course, it
needs to check for errors and report them if they occur.

Also, in addition to this and SSL_verify, I think you may need to call
SSL_get_certificate_status() [or whatever it's called] and
SSL_get_peer_certificate() in some combination, and check that the
hostname in the cert matches the hostname you're trying to connect to
-- unless *think* openssl does this for you?

BTW, have a look at http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf ,
for information/entertainment value.  A lot of software gets this
stuff wrong, and makes it easy to get it wrong.  I'd like to make sure
we test this pretty hard, to make sure that:
  * a self-signed certificate doesn't get accepted
  * a CA-signed certificate for the wrong hostname doesn't get accepted
  * whatever else we'd be likely to overlook if we forgot to test the
failing cases

> Anything more than this feels, to me, outside the scope of a libevent sample.
> In a related vein, is it possible to get OpenSSL to immediately dump
> errors to stderr? The only API I can find (ERR_*) let you inspect
> errors after the fact (ERR_get_error, ERR_print_error, etc.) but I
> would prefer not to clutter the sample with those calls unless
> necessary?

I don't know of an API like that in openssl.  (Anybody?)
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.