Hi Bartosz,

I was wondering if there is any update on this ?


On Fri, Jun 7, 2013 at 12:24 PM, Radhesh Krishnan K <
radheshkrishn...@gmail.com> wrote:

> Hi Bartosz,
>
>  Adding Equifax Secure CA one to the list of trusted CA's sounds like a
> good idea to me.
>
>
>
> On Fri, Jun 7, 2013 at 5:25 AM, Bartosz Brachaczek <b.brachac...@gmail.com
> > wrote:
>
>> (Reposting my conversation with Wojtek to the mailing list. I have
>> just noticed we switched away from it).
>>
>> 2013/6/7 Bartosz Brachaczek <b.brachac...@gmail.com>:
>> > 2013/6/6 Wojtek Kaniewski <wojte...@toxygen.net>:
>> >> Dnia 2013-06-04, wto o godzinie 13:37 +0200, Bartosz Brachaczek pisze:
>> >>> But checking which certificates are accepted by the proprietary client
>> >>> should be straightforward, as the current version of it is written in
>> >>> XUL and uses xulrunner's/gecko's methods of verifying certificates. I
>> >>> can volunteer to check this. If it turns out that the proprietary
>> >>> client trusts a CA that is not universally trusted, we might want to
>> >>> trust the same one when connecting to the Gadu-Gadu network in
>> >>> libgadu.
>> >>
>> >> Right now they use RapidSSL certificate issued by Equifax Secure
>> >> Certificate Authority. I can see their certificate in my Ubuntu, so I
>> >> guess it would be a matter of setting some flag to verify against
>> >> preinstalled certificates, adding them to a list of trusted CA's or
>> >> something similar.
>> >
>> > That's right, I have incorrectly assumed OpenSSL is using system CA
>> > cert store by default, and it's not the case.
>> >
>> > So the functions of interest are:
>> > a) for OpenSSL:
>> > -- SSL_CTX_set_default_verify_paths() to use CA cert store configured
>> > during OpenSSL's build
>> > -- SSL_get_verify_result() to retrieve certificate verification result
>> > b) for GnuTLS:
>> > -- gnutls_certificate_set_x509_system_trust() to use default system CA
>> > cert store, requires GnuTLS >= 3.0 so it can be problematic
>> > (alternatively gnutls_certificate_set_x509_trust_file() can be used to
>> > point to specific files; in OpenSSL that would of course be possible,
>> > too)
>> > -- gnutls_certificate_verify_peers2() and
>> > gnutls_x509_crt_check_hostname() to verify the certificate validity
>> >
>> >>
>> >> As for rejecting invalid certificates, what do you think about leaving
>> >> behaviour for GG_SSL_ENABLED as is, but adding a obligatory check in
>> >> case of GG_SSL_REQUIRED? This way users would be still able to use SSL
>> >> (on their own risk) if the CA changed to something obscure.
>> >
>> > I think it makes sense.
>> >
>> >>
>> >> Regards,
>> >> Wojtek
>> >>
>>
>
>
>
> --
>
>
>
>
> Regards,
> Radhesh Krishnan K.
>



-- 




Regards,
Radhesh Krishnan K.
_______________________________________________
libgadu-devel mailing list
libgadu-devel@lists.ziew.org
http://lists.ziew.org/mailman/listinfo/libgadu-devel

Reply via email to