On Sat, Oct 27, 2012 at 11:00 AM, Alban D. <blan...@gmail.com> wrote: > Hi everyone, > > iSEC Partners just released a paper that provides detailed guidelines > and sample code on how to properly do certificate validation with > OpenSSL: > http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html > > It is not trivial and so I thought this reference material could be > useful to people on this mailing list. ] Applications that need to be able to connect to any server on ] the Internet (such as browsers) could instead rely on Mozilla's ] list of root certificates used in Firefox.
Mozilla cannot be trusted. When Trustwave issued a Subordinate CA to perform traffic interception on sites not under the operator's control, Mozilla rewarded their bad behavior by continuing their inclusion in the Root CA list. (http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html and https://bugzilla.mozilla.org/show_bug.cgi?id=724929). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org