[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.



On 02/20/2013 07:26 PM, Jardel Weyrich wrote:

There's X509_check_host for that, but I'm really not sure whether it's
enough or not.

Please correct me if I'm mistaken, but my impression is that X509_check_host only exists in the OpenSSL trunk, but has not yet appeared in any released version of OpenSSL. (In particular, it is not in the 1.0.1 release series.) If I'm interpreting things correctly, I believe this is going to be in the 1.1.0 release series. (But I have no idea when OpenSSL plans to release 1.1.0)

So, I think that the hostname checking is fairly easy for us, if we target OpenSSL 1.1.0 and up. But if we want to target OpenSSL versions currently in the wild (1.0.1 and down), we have to do the hostname validation ourselves. This could mean using the iSECPartners sample code:

https://github.com/iSECPartners/ssl-conservatory

However, the iSECPartners code doesn't handle wildcards, which means it fails on common cases like https://ip.appspot.com/ which has a wildcard certificate for *.appspot.com. So, I think that for full-blown wildcard hostname validation, which is usable on the Web at large, we'd need to look someplace like the cURL source code.

I'm currently looking into all this, and trying to add hostname validation to Catalin's sample program. I'll post again in the future when I have some code to show.

Also, some partially off-topic self-promotion: I've attempted to fill the vacuum in OpenSSL documentation (since the sort of quandry we're having now seems to be the norm when doing development with OpenSSL) by creating an OpenSSL Wikibook:

https://en.wikibooks.org/wiki/OpenSSL

If there are others with knowledge of OpenSSL who can contribute to the Wikibook, I'd greatly appreciate it. Otherwise, it will probably die, since I don't have the time (or knowledge) to write a whole book by myself, and the Wikibooks administrators have already started deleting pages from my book as essentially being too feeble of an attempt to be worth keeping.

--Patrick

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.