On Sat, Oct 20, 2012 at 11:22 AM, Ben Laurie <[email protected]> wrote: > On Sat, Oct 20, 2012 at 5:08 AM, Joe Pletcher <[email protected]> wrote: >> Hello all, >> >> I hope this question is more appropriate for this list. I tried >> openssl-users with no luck. If not, I apologize in advance. >> >> I'm working on an OpenSSL project, and I could use some help. I am writing a >> library which will be loaded into the environment via LD_PRELOAD which will >> take calls to SSL_get_verify_result and as opposed to verifying them against >> the CA tree, will use Marlinspike's Convergence system to perform >> certificate validation (similar to libval_shim for some DNS functions). I >> have a very small proof of concept of this working, yet I've run into some >> issues. I have the following questions: >> >> 1) Is this a architecturally a bad idea? I understand writing code like this >> is exceptionally tricky, and plan to open source all of it for peer review, >> and slap huge caveats on it about how it has not beed tested, but >> fundamentally is there anything wrong with this approach? > > One obvious problem is, I think, that it does
I was going to say "doesn't work on MacOS", but it seems there's an alternate mechanism on MacOS. >> >> 2) The biggest question I have, is for this to work well I need to be able >> to get the hostname and port from the SSL object that gets passed into >> SSL_get_verify_result. I've found sometimes this is available in >> ssl->rbio->ptr->param_hostname/param_port, and it looks like other times it >> might be available in ssl->tlsext_hostname, but it doesn't seem to be >> standard. Is there anywhere where I can reliably find the hostname and port >> from the SSL object (or a few places that it would be in one of?). I >> understand this isn't using the API and could potentially break from >> upgrades, but to a certain extent if you're using an LD_PRELOAD shim you >> don't have a reasonable expectation of compatibility... > > The problem is that OpenSSL doesn't actually manage the connection to > the host, and so doesn't necessarily know the name/port at all. > >> Additionally, if this data isn't located anywhere I can access, I can grab >> the hostname out of the x509 certificate sometimes (obviously I would lose >> the port number, and dealing with wildcard certificates would be a huge >> PITA, but it's doable). Also, I recognize that'd I'd probably also need to >> deal with custom verification callbacks, and that this approach wont work >> with all software, but I'd like to try to cover most straight forward SSL >> apps. >> >> If you have any other tips or things you think I should be aware of, please >> feel free to let me know. >> >> Thank you very much for your time and help, >> >> Joe ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
