On Mon, 2010-03-08 at 19:18 +0100, Álvaro J. Iradier wrote:
> On Mon, Mar 8, 2010 at 7:03 PM, Youness Alaoui
> <kakar...@kakaroto.homelinux.net> wrote:
> > Hi,
> > I remember looking at the 'how to validate certificates with tcl-tls' a
> > while ago, it's not really hard, but it will probably be annoying to do it..
> > especially considering the http stuff, and in cases of proxies (the code and
> > API used for proxies is different).. there are so many tls connections to so
> > many different servers, each might have their own certificate, and since for
> > http we can only set it up via 'http::register' for the port 443, if we do
> > two parallel connections, we might have easily a race condition where the
> > wrong certificate is being checked...
>
> I don't know how the connection is done right now, but I guess we
> should check that the server provided certificate ir signed by a valid
> CA, and that the cn (common name) of the certificate is the hostname
> we are connecting to (or are we using an IP address?).
>
package require tls
proc debug args { puts [info level 0] }
set s [::tls::socket -command ::debug -cafile /etc/pki/tls/certs/ca-bundle.crt
-request 1 -require 1 login.live.com 443]
puts [::tls::handshake $s]
puts [::tls::status $s]
This code works for me, to test.
We need to have 1 as return from ::tls::handshake, and from the output
of status we can get the CN of the subject, and compare that against the
hostname.
-cafile on a debian system is
probably /etc/ssl/certs/ca-certificates.crt
HTH, Tjikkun
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Amsn-devel mailing list
Amsn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amsn-devel
