[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] evhttp and TLS hostname validation



On 12/10/2012 03:05 AM, Patrick Pelletier wrote:

So I had been thinking it couldn't be done with the callback.  However,
after re-reading the manpage for SSL_CTX_set_verify, it sounds like it
does get called on success, and is given the opportunity to fail the
connection.  So perhaps I could call validate_hostname() from inside the
callback after all.  I just haven't seen it done that way, but I'll give
it a try and see if it works.

The problem with this is that the callback set with SSL_CTX_set_verify is called once for *each* certificate in the chain, starting with the certificate authority, working its way through the intermediate certificates (if any) and ending with the server's certificate. The server certificate is the one I want to check the hostname of. But how do I tell when my callback is being called for the *last* time? That seems to be a fundamentally intractable problem.

The moment to do this:
...
- SSL_connect() returns without a failure
- <here and other post SSL connect checks>
- continue handing over the (SSL *)
...

Yeah, I'd been thinking that might be the only way to do it, before I
went back and re-read the SSL_CTX_set_verify documentation.

But it seems like the disadvantage of doing the connect before handing
the SSL over to libevent is that then the connect has to be synchronous,
right?  The handshake wouldn't be event-driven.

So, is that what everybody else does? Just do the handshake synchronously and then hand it over to libevent after performing the handshake and checking the certificate?

--Patrick

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.