[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.

To: libevent-users@xxxxxxxxxxxxx
Subject: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
From: Patrick Pelletier <ppelletier@xxxxxxxxxx>
Date: Wed, 27 Feb 2013 18:13:49 -0800
Cc: Jardel Weyrich <jweyrich@xxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivered-to: libevent-users-outgoing@xxxxxxxx
Delivered-to: libevent-users@xxxxxxxx
Delivery-date: Wed, 27 Feb 2013 21:13:56 -0500
In-reply-to: <CAN8TAOuHqJh=K9u3rUWuyOQdWCQqNZFnV4FdRa0gtV=bTZ5rdA@xxxxxxxxxxxxxx>
References: <1361294551-21026-1-git-send-email-catalinp@xxxxxxxxxx> <CAKDKvuwG_1631y5X+i_HRs=S5iOEoQu-ifmqu9cMPs=9hV-Tkg@xxxxxxxxxxxxxx> <CAJB0wA85yDMgJuWOEwzAgmO5QFD1PqdaP=mcM5dxgAjEk=J=BA@xxxxxxxxxxxxxx> <CAN8TAOtfHGUYNgPabKRBf=ZHbnM2=VnvJLnQdEg6iOdEfZT49w@xxxxxxxxxxxxxx> <CAJB0wA8Jb2qOqxktqcmKaQCmYch4ygspuZ2pv+Hx6g3Lo_rsQw@xxxxxxxxxxxxxx> <CAKDKvuzMAAQ0uQW8+bsW2nkJJ7a2cSm9uxcYGLxRxCyfVH8LkA@xxxxxxxxxxxxxx> <CAN8TAOuHqJh=K9u3rUWuyOQdWCQqNZFnV4FdRa0gtV=bTZ5rdA@xxxxxxxxxxxxxx>
Reply-to: libevent-users@xxxxxxxxxxxxx
Sender: owner-libevent-users@xxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0

On 02/20/2013 07:26 PM, Jardel Weyrich wrote:

There's X509_check_host for that, but I'm really not sure whether it's
enough or not.

Please correct me if I'm mistaken, but my impression is thatX509_check_host only exists in the OpenSSL trunk, but has not yetappeared in any released version of OpenSSL. (In particular, it is notin the 1.0.1 release series.) If I'm interpreting things correctly, Ibelieve this is going to be in the 1.1.0 release series. (But I have noidea when OpenSSL plans to release 1.1.0)

So, I think that the hostname checking is fairly easy for us, if wetarget OpenSSL 1.1.0 and up. But if we want to target OpenSSL versionscurrently in the wild (1.0.1 and down), we have to do the hostnamevalidation ourselves. This could mean using the iSECPartners sample code:


https://github.com/iSECPartners/ssl-conservatory

However, the iSECPartners code doesn't handle wildcards, which means itfails on common cases like https://ip.appspot.com/ which has a wildcardcertificate for *.appspot.com. So, I think that for full-blown wildcardhostname validation, which is usable on the Web at large, we'd need tolook someplace like the cURL source code.

I'm currently looking into all this, and trying to add hostnamevalidation to Catalin's sample program. I'll post again in the futurewhen I have some code to show.

Also, some partially off-topic self-promotion: I've attempted to fillthe vacuum in OpenSSL documentation (since the sort of quandry we'rehaving now seems to be the norm when doing development with OpenSSL) bycreating an OpenSSL Wikibook:


https://en.wikibooks.org/wiki/OpenSSL

If there are others with knowledge of OpenSSL who can contribute to theWikibook, I'd greatly appreciate it. Otherwise, it will probably die,since I don't have the time (or knowledge) to write a whole book bymyself, and the Wikibooks administrators have already started deletingpages from my book as essentially being too feeble of an attempt to beworth keeping.


--Patrick

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.

Follow-Ups:
- Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Jardel Weyrich

References:
- [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Catalin Patulea
- Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Nick Mathewson
- Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Catalin Patulea
- Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Jardel Weyrich
- Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Catalin Patulea
- Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Nick Mathewson
- Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
  - From: Jardel Weyrich

Prev by Author: Re: [Libevent-users] evhttp client and IPv6
Next by Author: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
Previous by thread: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
Next by thread: Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.
Index(es):
- Author
- Thread