(Reposting my conversation with Wojtek to the mailing list. I have
just noticed we switched away from it).

2013/6/7 Bartosz Brachaczek <b.brachac...@gmail.com>:
> 2013/6/6 Wojtek Kaniewski <wojte...@toxygen.net>:
>> Dnia 2013-06-04, wto o godzinie 13:37 +0200, Bartosz Brachaczek pisze:
>>> But checking which certificates are accepted by the proprietary client
>>> should be straightforward, as the current version of it is written in
>>> XUL and uses xulrunner's/gecko's methods of verifying certificates. I
>>> can volunteer to check this. If it turns out that the proprietary
>>> client trusts a CA that is not universally trusted, we might want to
>>> trust the same one when connecting to the Gadu-Gadu network in
>>> libgadu.
>>
>> Right now they use RapidSSL certificate issued by Equifax Secure
>> Certificate Authority. I can see their certificate in my Ubuntu, so I
>> guess it would be a matter of setting some flag to verify against
>> preinstalled certificates, adding them to a list of trusted CA's or
>> something similar.
>
> That's right, I have incorrectly assumed OpenSSL is using system CA
> cert store by default, and it's not the case.
>
> So the functions of interest are:
> a) for OpenSSL:
> -- SSL_CTX_set_default_verify_paths() to use CA cert store configured
> during OpenSSL's build
> -- SSL_get_verify_result() to retrieve certificate verification result
> b) for GnuTLS:
> -- gnutls_certificate_set_x509_system_trust() to use default system CA
> cert store, requires GnuTLS >= 3.0 so it can be problematic
> (alternatively gnutls_certificate_set_x509_trust_file() can be used to
> point to specific files; in OpenSSL that would of course be possible,
> too)
> -- gnutls_certificate_verify_peers2() and
> gnutls_x509_crt_check_hostname() to verify the certificate validity
>
>>
>> As for rejecting invalid certificates, what do you think about leaving
>> behaviour for GG_SSL_ENABLED as is, but adding a obligatory check in
>> case of GG_SSL_REQUIRED? This way users would be still able to use SSL
>> (on their own risk) if the CA changed to something obscure.
>
> I think it makes sense.
>
>>
>> Regards,
>> Wojtek
>>
_______________________________________________
libgadu-devel mailing list
libgadu-devel@lists.ziew.org
http://lists.ziew.org/mailman/listinfo/libgadu-devel

Reply via email to