On Wed, Feb 20, 2013 at 10:26 PM, Jardel Weyrich <jweyr...@gmail.com> wrote: > On Wed, Feb 20, 2013 at 9:03 PM, Nick Mathewson <ni...@freehaven.net> wrote: >> >> On Wed, Feb 20, 2013 at 12:42 PM, Catalin Patulea <catal...@google.com> >> wrote: >> > On Tue, Feb 19, 2013 at 9:40 PM, Jardel Weyrich <jweyr...@gmail.com> >> > wrote: >> >> 2) Call SSL_CTX_load_verify_locations passing the path of the CA >> >> certificates installed by the aforementioned package - generally >> >> /etc/ssl/certs/ca-certificates.crt >> > Nick, does this seem like a reasonable solution? >> > >> > SSL_CTX_load_verify_locations(ssl_ctx, >> > "/etc/ssl/certs/ca-certificates.crt", NULL); >> >> Seems like it could work fine for an initial attempt. Of course, it >> needs to check for errors and report them if they occur. > > > Even though libevent cannot assume that file exists - it would have to ship > it, or an alternative to it.
Yeah. > Are we talking about the test case? This is for a new entry in samples/, which is supposed to be sample "how to use libevent" code. > If yes, another option would be to > generate some certificates - 2 CAs, plus 2 certs per CA (1 valid, 1 > expired), and 2 extra self-signed certs. It's likely that more certs are > needed to cover all possible scenarios. Lengthy work, but can be done. > > With this in mind, will libevent try to cover all possibilities in a test > case? It might be a good idea to have a test case for all of this too. >> Also, in addition to this and SSL_verify, I think you may need to call >> SSL_get_certificate_status() [or whatever it's called] and >> SSL_get_peer_certificate() in some combination, > > > By SSL_get_certificate_status, do you mean checking whether the certificate > is valid (not expired, not revoked, etc)? Ah, yeah. You need to check the validity dates too. :/ But what I meant was the SSL_get_verify result function. >> and check that the >> hostname in the cert matches the hostname you're trying to connect to >> -- unless *think* openssl does this for you? > > > There's X509_check_host for that, but I'm really not sure whether it's > enough or not. > Might be a good idea to check how Chromium does that. I thought Chromium used NSS? [...] > AFAIK, it has no callback support for this kind of "automatic error > reporting", except for SSL_set_info_callback, which sets a callback to > report errors and state changes for a given SSL connection. FWIW, Tor uses > it (see src/common/tortls.c). Yeah, I wrote that code. I wouldn't recommend SSL_set_info_callback, though: it is a huge can of worms. -- Nick *********************************************************************** To unsubscribe, send an e-mail to majord...@freehaven.net with unsubscribe libevent-users in the body.
