On Tue, Feb 19, 2013 at 7:07 PM, Catalin Patulea <catal...@google.com>wrote:
> On Tue, Feb 19, 2013 at 3:05 PM, Nick Mathewson <ni...@freehaven.net> > wrote: > > * It could sure use comments! > Can you be more specific? This all feels like a lot of boilerplate to > me. Parse the URL, initialize OpenSSL, create some bufferevents. I'm > not sure what more I can say that a reader of bufferevent.h, > bufferevent_ssl.sh and SSL_new(3) etc. doesn't already know. > > > * This is dangerous code; it doesn't do any certificate validation > > so far as I can see, and as such gets zero protection from > > man-in-the-middle attacks. People who don't know how to use TLS will > > be copying our examples here, so we need to make sure to get the > > security right. > SSL_CTX_set_verify(SSL_VERIFY_PEER, NULL); sound about right to you? > > I'm trying to figure out whether OpenSSL distributes a set of CA certs > OpenSSL by itself does not distribute a list of trusted CA certificates. Assuming Debian, you could install a list of them using: # apt-get install ca-certificates > and initializes the path or whether I need to do this myself - any > idea? It does not do it automatically. You have a few options: 1) Load the CAs you care about and add them to a certificate store - See http://stackoverflow.com/a/3343843/298054 2) Call SSL_CTX_load_verify_locations passing the path of the CA certificates installed by the aforementioned package - generally /etc/ssl/certs/ca-certificates.crt 3) Use a combination of X509_STORE_add_lookup, X509_STORE_load_locations, X509_STORE_set_default_paths, X509_LOOKUP_load_file, and X509_STORE_add_lookup - jw
