|
Hello,
Has there been any consideration for adding
functionality such as peer verification and other customizations that can be
passed to openssl?
For instance, I'd like to be able to provide a file
containing a set of trusted certificate authorities and enable peer
verification. (See openssl docs for SSL_CTX_load_verify_locations
and SSL_CTX_set_verify). Also, I'd like to be able to control which
SSL versions are used, particularly enabling SSLv3 and TLSv1, while disabling
SSLv2 (passing SSL_OP_NO_SSLv2 to SSL_CTX_set_options). A couple of other
options that I'd like to control is SSL_CTX_set_cipher_list (disabling lower
quality ciphers, etc.) and the data passed to RAND_seed. After reading
Oreilly's "Network Security with OpenSSL" book a few months back, I've gained a
better warm fuzzy by using "stunnel" and similar products that allow control of
these options, but I'd like to take away as much of these indirections as
possible.
If it's a matter of time or resources and you don't
mind, I could spend some time on it and contribute a patch, which I might work
on anyway for my own use :)
thanks!
-Abe
|
- Re: more SSL support? Abraham Backus
- Re: more SSL support? Mark Crispin
- Re: more SSL support? Abraham Backus
- Re: more SSL support? Mark Crispin
