On Tue, Feb 19, 2013 at 3:05 PM, Nick Mathewson <ni...@freehaven.net> wrote: > * It could sure use comments! Can you be more specific? This all feels like a lot of boilerplate to me. Parse the URL, initialize OpenSSL, create some bufferevents. I'm not sure what more I can say that a reader of bufferevent.h, bufferevent_ssl.sh and SSL_new(3) etc. doesn't already know.
> * This is dangerous code; it doesn't do any certificate validation > so far as I can see, and as such gets zero protection from > man-in-the-middle attacks. People who don't know how to use TLS will > be copying our examples here, so we need to make sure to get the > security right. SSL_CTX_set_verify(SSL_VERIFY_PEER, NULL); sound about right to you? I'm trying to figure out whether OpenSSL distributes a set of CA certs and initializes the path or whether I need to do this myself - any idea? *********************************************************************** To unsubscribe, send an e-mail to majord...@freehaven.net with unsubscribe libevent-users in the body.
