Hello all, I hope this question is more appropriate for this list. I tried openssl-users with no luck. If not, I apologize in advance.
I'm working on an OpenSSL project, and I could use some help. I am writing a library which will be loaded into the environment via LD_PRELOAD which will take calls to SSL_get_verify_result and as opposed to verifying them against the CA tree, will use Marlinspike's Convergence system to perform certificate validation (similar to libval_shim for some DNS functions). I have a very small proof of concept of this working, yet I've run into some issues. I have the following questions: 1) Is this a architecturally a bad idea? I understand writing code like this is exceptionally tricky, and plan to open source all of it for peer review, and slap huge caveats on it about how it has not beed tested, but fundamentally is there anything wrong with this approach? 2) The biggest question I have, is for this to work well I need to be able to get the hostname and port from the SSL object that gets passed into SSL_get_verify_result. I've found sometimes this is available in ssl->rbio->ptr->param_hostname/param_port, and it looks like other times it might be available in ssl->tlsext_hostname, but it doesn't seem to be standard. Is there anywhere where I can reliably find the hostname and port from the SSL object (or a few places that it would be in one of?). I understand this isn't using the API and could potentially break from upgrades, but to a certain extent if you're using an LD_PRELOAD shim you don't have a reasonable expectation of compatibility... Additionally, if this data isn't located anywhere I can access, I can grab the hostname out of the x509 certificate sometimes (obviously I would lose the port number, and dealing with wildcard certificates would be a huge PITA, but it's doable). Also, I recognize that'd I'd probably also need to deal with custom verification callbacks, and that this approach wont work with all software, but I'd like to try to cover most straight forward SSL apps. If you have any other tips or things you think I should be aware of, please feel free to let me know. Thank you very much for your time and help, Joe
smime.p7s
Description: S/MIME cryptographic signature
