[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] [PATCH] Add sample/https-client.c, an example of stacking evhttp as a client on top of bufferevent_ssl.

On Wed, Feb 27, 2013 at 11:13 PM, Patrick Pelletier <ppelletier@xxxxxxxxxx> wrote:
On 02/20/2013 07:26 PM, Jardel Weyrich wrote:

There's X509_check_host for that, but I'm really not sure whether it's
enough or not.

Please correct me if I'm mistaken, but my impression is that X509_check_host only exists in the OpenSSL trunk, but has not yet appeared in any released version of OpenSSL. Â(In particular, it is not in the 1.0.1 release series.) ÂIf I'm interpreting things correctly, I believe this is going to be in the 1.1.0 release series. Â(But I have no idea when OpenSSL plans to release 1.1.0)

It seems that you're right. The next feature release will be 1.0.2 though, but I don't see an ETA - http://www.openssl.org/news/state.html

So, I think that the hostname checking is fairly easy for us, if we target OpenSSL 1.1.0 and up. ÂBut if we want to target OpenSSL versions currently in the wild (1.0.1 and down), we have to do the hostname validation ourselves. ÂThis could mean using the iSECPartners sample code:


However, the iSECPartners code doesn't handle wildcards, which means it fails on common cases like https://ip.appspot.com/ which has a wildcard certificate for *.appspot.com. ÂSo, I think that for full-blown wildcard hostname validation, which is usable on the Web at large, we'd need to look someplace like the cURL source code.

libcurl is a good candidate. The still-not-released OpenSSL function seems to support wildcard in any subdomain label. Libevent could ship a copy of it, but only use it when the host version of OpenSSL is <= 1.<something>. That would require including the proper license, I guess.


I'm currently looking into all this, and trying to add hostname validation to Catalin's sample program. ÂI'll post again in the future when I have some code to show.


Also, some partially off-topic self-promotion: I've attempted to fill the vacuum in OpenSSL documentation (since the sort of quandry we're having now seems to be the norm when doing development with OpenSSL) by creating an OpenSSL Wikibook:


If there are others with knowledge of OpenSSL who can contribute to the Wikibook, I'd greatly appreciate it. ÂOtherwise, it will probably die, since I don't have the time (or knowledge) to write a whole book by myself, and the Wikibooks administrators have already started deleting pages from my book as essentially being too feeble of an attempt to be worth keeping.


Great work! I'll try to tout some hands to help. Although my OpenSSL knowledge is mostly restricted to X.509, I'll also try to get my hands dirty as soon as I can.

- jw