On Sat, Oct 20, 2012 at 5:08 AM, Joe Pletcher <joepletc...@gmail.com> wrote: > Hello all, > > I hope this question is more appropriate for this list. I tried openssl-users > with no luck. If not, I apologize in advance. > > I'm working on an OpenSSL project, and I could use some help. I am writing a > library which will be loaded into the environment via LD_PRELOAD which will > take calls to SSL_get_verify_result and as opposed to verifying them against > the CA tree, will use Marlinspike's Convergence system to perform certificate > validation (similar to libval_shim for some DNS functions). I have a very > small proof of concept of this working, yet I've run into some issues. I have > the following questions: > > 1) Is this a architecturally a bad idea? I understand writing code like this > is exceptionally tricky, and plan to open source all of it for peer review, > and slap huge caveats on it about how it has not beed tested, but > fundamentally is there anything wrong with this approach?
One obvious problem is, I think, that it does > > 2) The biggest question I have, is for this to work well I need to be able to > get the hostname and port from the SSL object that gets passed into > SSL_get_verify_result. I've found sometimes this is available in > ssl->rbio->ptr->param_hostname/param_port, and it looks like other times it > might be available in ssl->tlsext_hostname, but it doesn't seem to be > standard. Is there anywhere where I can reliably find the hostname and port > from the SSL object (or a few places that it would be in one of?). I > understand this isn't using the API and could potentially break from > upgrades, but to a certain extent if you're using an LD_PRELOAD shim you > don't have a reasonable expectation of compatibility... The problem is that OpenSSL doesn't actually manage the connection to the host, and so doesn't necessarily know the name/port at all. > Additionally, if this data isn't located anywhere I can access, I can grab > the hostname out of the x509 certificate sometimes (obviously I would lose > the port number, and dealing with wildcard certificates would be a huge PITA, > but it's doable). Also, I recognize that'd I'd probably also need to deal > with custom verification callbacks, and that this approach wont work with all > software, but I'd like to try to cover most straight forward SSL apps. > > If you have any other tips or things you think I should be aware of, please > feel free to let me know. > > Thank you very much for your time and help, > > Joe ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
