(Reposting my conversation with Wojtek to the mailing list. I have just noticed we switched away from it).
2013/6/7 Bartosz Brachaczek <b.brachac...@gmail.com>: > 2013/6/6 Wojtek Kaniewski <wojte...@toxygen.net>: >> Dnia 2013-06-04, wto o godzinie 13:37 +0200, Bartosz Brachaczek pisze: >>> But checking which certificates are accepted by the proprietary client >>> should be straightforward, as the current version of it is written in >>> XUL and uses xulrunner's/gecko's methods of verifying certificates. I >>> can volunteer to check this. If it turns out that the proprietary >>> client trusts a CA that is not universally trusted, we might want to >>> trust the same one when connecting to the Gadu-Gadu network in >>> libgadu. >> >> Right now they use RapidSSL certificate issued by Equifax Secure >> Certificate Authority. I can see their certificate in my Ubuntu, so I >> guess it would be a matter of setting some flag to verify against >> preinstalled certificates, adding them to a list of trusted CA's or >> something similar. > > That's right, I have incorrectly assumed OpenSSL is using system CA > cert store by default, and it's not the case. > > So the functions of interest are: > a) for OpenSSL: > -- SSL_CTX_set_default_verify_paths() to use CA cert store configured > during OpenSSL's build > -- SSL_get_verify_result() to retrieve certificate verification result > b) for GnuTLS: > -- gnutls_certificate_set_x509_system_trust() to use default system CA > cert store, requires GnuTLS >= 3.0 so it can be problematic > (alternatively gnutls_certificate_set_x509_trust_file() can be used to > point to specific files; in OpenSSL that would of course be possible, > too) > -- gnutls_certificate_verify_peers2() and > gnutls_x509_crt_check_hostname() to verify the certificate validity > >> >> As for rejecting invalid certificates, what do you think about leaving >> behaviour for GG_SSL_ENABLED as is, but adding a obligatory check in >> case of GG_SSL_REQUIRED? This way users would be still able to use SSL >> (on their own risk) if the CA changed to something obscure. > > I think it makes sense. > >> >> Regards, >> Wojtek >> _______________________________________________ libgadu-devel mailing list libgadu-devel@lists.ziew.org http://lists.ziew.org/mailman/listinfo/libgadu-devel
