On Wed, Feb 20, 2013 at 12:42 PM, Catalin Patulea <catal...@google.com> wrote: > On Tue, Feb 19, 2013 at 9:40 PM, Jardel Weyrich <jweyr...@gmail.com> wrote: >> 2) Call SSL_CTX_load_verify_locations passing the path of the CA >> certificates installed by the aforementioned package - generally >> /etc/ssl/certs/ca-certificates.crt > Nick, does this seem like a reasonable solution? > > SSL_CTX_load_verify_locations(ssl_ctx, > "/etc/ssl/certs/ca-certificates.crt", NULL);
Seems like it could work fine for an initial attempt. Of course, it needs to check for errors and report them if they occur. Also, in addition to this and SSL_verify, I think you may need to call SSL_get_certificate_status() [or whatever it's called] and SSL_get_peer_certificate() in some combination, and check that the hostname in the cert matches the hostname you're trying to connect to -- unless *think* openssl does this for you? BTW, have a look at http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf , for information/entertainment value. A lot of software gets this stuff wrong, and makes it easy to get it wrong. I'd like to make sure we test this pretty hard, to make sure that: * a self-signed certificate doesn't get accepted * a CA-signed certificate for the wrong hostname doesn't get accepted * whatever else we'd be likely to overlook if we forgot to test the failing cases > Anything more than this feels, to me, outside the scope of a libevent sample. > > In a related vein, is it possible to get OpenSSL to immediately dump > errors to stderr? The only API I can find (ERR_*) let you inspect > errors after the fact (ERR_get_error, ERR_print_error, etc.) but I > would prefer not to clutter the sample with those calls unless > necessary? I don't know of an API like that in openssl. (Anybody?) -- Nick *********************************************************************** To unsubscribe, send an e-mail to majord...@freehaven.net with unsubscribe libevent-users in the body.
