Hi Bartosz, I was wondering if there is any update on this ?
On Fri, Jun 7, 2013 at 12:24 PM, Radhesh Krishnan K < radheshkrishn...@gmail.com> wrote: > Hi Bartosz, > > Adding Equifax Secure CA one to the list of trusted CA's sounds like a > good idea to me. > > > > On Fri, Jun 7, 2013 at 5:25 AM, Bartosz Brachaczek <b.brachac...@gmail.com > > wrote: > >> (Reposting my conversation with Wojtek to the mailing list. I have >> just noticed we switched away from it). >> >> 2013/6/7 Bartosz Brachaczek <b.brachac...@gmail.com>: >> > 2013/6/6 Wojtek Kaniewski <wojte...@toxygen.net>: >> >> Dnia 2013-06-04, wto o godzinie 13:37 +0200, Bartosz Brachaczek pisze: >> >>> But checking which certificates are accepted by the proprietary client >> >>> should be straightforward, as the current version of it is written in >> >>> XUL and uses xulrunner's/gecko's methods of verifying certificates. I >> >>> can volunteer to check this. If it turns out that the proprietary >> >>> client trusts a CA that is not universally trusted, we might want to >> >>> trust the same one when connecting to the Gadu-Gadu network in >> >>> libgadu. >> >> >> >> Right now they use RapidSSL certificate issued by Equifax Secure >> >> Certificate Authority. I can see their certificate in my Ubuntu, so I >> >> guess it would be a matter of setting some flag to verify against >> >> preinstalled certificates, adding them to a list of trusted CA's or >> >> something similar. >> > >> > That's right, I have incorrectly assumed OpenSSL is using system CA >> > cert store by default, and it's not the case. >> > >> > So the functions of interest are: >> > a) for OpenSSL: >> > -- SSL_CTX_set_default_verify_paths() to use CA cert store configured >> > during OpenSSL's build >> > -- SSL_get_verify_result() to retrieve certificate verification result >> > b) for GnuTLS: >> > -- gnutls_certificate_set_x509_system_trust() to use default system CA >> > cert store, requires GnuTLS >= 3.0 so it can be problematic >> > (alternatively gnutls_certificate_set_x509_trust_file() can be used to >> > point to specific files; in OpenSSL that would of course be possible, >> > too) >> > -- gnutls_certificate_verify_peers2() and >> > gnutls_x509_crt_check_hostname() to verify the certificate validity >> > >> >> >> >> As for rejecting invalid certificates, what do you think about leaving >> >> behaviour for GG_SSL_ENABLED as is, but adding a obligatory check in >> >> case of GG_SSL_REQUIRED? This way users would be still able to use SSL >> >> (on their own risk) if the CA changed to something obscure. >> > >> > I think it makes sense. >> > >> >> >> >> Regards, >> >> Wojtek >> >> >> > > > > -- > > > > > Regards, > Radhesh Krishnan K. > -- Regards, Radhesh Krishnan K.
_______________________________________________ libgadu-devel mailing list libgadu-devel@lists.ziew.org http://lists.ziew.org/mailman/listinfo/libgadu-devel
