Hi Bartosz, Adding Equifax Secure CA one to the list of trusted CA's sounds like a good idea to me.
On Fri, Jun 7, 2013 at 5:25 AM, Bartosz Brachaczek <b.brachac...@gmail.com>wrote: > (Reposting my conversation with Wojtek to the mailing list. I have > just noticed we switched away from it). > > 2013/6/7 Bartosz Brachaczek <b.brachac...@gmail.com>: > > 2013/6/6 Wojtek Kaniewski <wojte...@toxygen.net>: > >> Dnia 2013-06-04, wto o godzinie 13:37 +0200, Bartosz Brachaczek pisze: > >>> But checking which certificates are accepted by the proprietary client > >>> should be straightforward, as the current version of it is written in > >>> XUL and uses xulrunner's/gecko's methods of verifying certificates. I > >>> can volunteer to check this. If it turns out that the proprietary > >>> client trusts a CA that is not universally trusted, we might want to > >>> trust the same one when connecting to the Gadu-Gadu network in > >>> libgadu. > >> > >> Right now they use RapidSSL certificate issued by Equifax Secure > >> Certificate Authority. I can see their certificate in my Ubuntu, so I > >> guess it would be a matter of setting some flag to verify against > >> preinstalled certificates, adding them to a list of trusted CA's or > >> something similar. > > > > That's right, I have incorrectly assumed OpenSSL is using system CA > > cert store by default, and it's not the case. > > > > So the functions of interest are: > > a) for OpenSSL: > > -- SSL_CTX_set_default_verify_paths() to use CA cert store configured > > during OpenSSL's build > > -- SSL_get_verify_result() to retrieve certificate verification result > > b) for GnuTLS: > > -- gnutls_certificate_set_x509_system_trust() to use default system CA > > cert store, requires GnuTLS >= 3.0 so it can be problematic > > (alternatively gnutls_certificate_set_x509_trust_file() can be used to > > point to specific files; in OpenSSL that would of course be possible, > > too) > > -- gnutls_certificate_verify_peers2() and > > gnutls_x509_crt_check_hostname() to verify the certificate validity > > > >> > >> As for rejecting invalid certificates, what do you think about leaving > >> behaviour for GG_SSL_ENABLED as is, but adding a obligatory check in > >> case of GG_SSL_REQUIRED? This way users would be still able to use SSL > >> (on their own risk) if the CA changed to something obscure. > > > > I think it makes sense. > > > >> > >> Regards, > >> Wojtek > >> > -- Regards, Radhesh Krishnan K.
_______________________________________________ libgadu-devel mailing list libgadu-devel@lists.ziew.org http://lists.ziew.org/mailman/listinfo/libgadu-devel
