On Wed, Feb 20, 2013 at 12:42 PM, Catalin Patulea <catalinp@xxxxxxxxxx> wrote:Seems like it could work fine for an initial attempt. ÂOf course, it
> On Tue, Feb 19, 2013 at 9:40 PM, Jardel Weyrich <jweyrich@xxxxxxxxx> wrote:
>> 2) Call SSL_CTX_load_verify_locations passing the path of the CA
>> certificates installed by the aforementioned package - generally
> Nick, does this seem like a reasonable solution?
> "/etc/ssl/certs/ca-certificates.crt", NULL);
needs to check for errors and report them if they occur.
Also, in addition to this and SSL_verify, I think you may need to call
SSL_get_certificate_status() [or whatever it's called] and
SSL_get_peer_certificate() in some combination,
and check that the
hostname in the cert matches the hostname you're trying to connect to
-- unless *think* openssl does this for you?
BTW, have a look at http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf ,
for information/entertainment value. ÂA lot of software gets this
stuff wrong, and makes it easy to get it wrong. ÂI'd like to make sure
we test this pretty hard, to make sure that:
Â * a self-signed certificate doesn't get accepted
Â * a CA-signed certificate for the wrong hostname doesn't get accepted
Â * whatever else we'd be likely to overlook if we forgot to test the
I don't know of an API like that in openssl. Â(Anybody?)
> Anything more than this feels, to me, outside the scope of a libevent sample.
> In a related vein, is it possible to get OpenSSL to immediately dump
> errors to stderr? The only API I can find (ERR_*) let you inspect
> errors after the fact (ERR_get_error, ERR_print_error, etc.) but I
> would prefer not to clutter the sample with those calls unless