Hi,
so one can set THTTPSend.Sock.SSL.CertCAFile to load root certificates
from a file. But that is not enough, sometimes they are in a directory
and you need to load that too when calling SslCtxLoadVerifyLocations. Or
use SSL_CTX_set_default_verify_paths(), if that actually works anywhere.
(https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/)
And afterwards when connecting the host name needs to be set:
https://wiki.openssl.org/index.php/Hostname_validation
Synapse needs to be changed for that , right now there are appears to be
no reasonable way to run user code between OpenSSL context creation and
connecting. Can't even override the handling without corresponding
virtual methods in TSSLOpenSSL.
Best,
Benito
Am 01.07.2018 um 00:56 schrieb Benito van der Zander:
Hi,
how do you make sure the https connection is really secure and the
server uses a valid certificate?
Just set sock.ssl.verifycert := true or does it need more configuration?
Where would it get the trusted root certificates from?
How to check hostnames? OpenSSL did not even try to verify hostnames
before 1.0.2
Bye,
Benito
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
synalist-public mailing list
synalist-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/synalist-public
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
synalist-public mailing list
synalist-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/synalist-public
