On 2014/03/29 11:39, Jérémie Courrèges-Anglas wrote: > Stuart Henderson <[email protected]> writes: > > > On 2014/03/28 22:09, Philip Guenther wrote: > >> On Thu, Mar 27, 2014 at 3:33 AM, Jérémie Courrèges-Anglas > >> <[email protected]> wrote: > >> > Thanks sthen@ for noticing it, ftp(1) doesn't perform SNI, Server Name > >> > Indication. (try eg. https://www.stunnel.org/) > >> > > >> > Here's a diff to improve the situation (first and last hunks). While > >> > I can get some eyes for a review, let's add some more changes. ;) > >> > >> The other changes look ok to me, but I am unable to find any > >> documentation SSL_set_tlsext_host_name() to reassure me that it's > >> being used correctly here, or even that it's useful. > >> > >> :-( > >> > >> > >> Philip Guenther > >> > > > > Given that they don't even document that there's an environment variable > > which overrides the system CA cert.pem path (which is kind-of > > security-important > > information), I think this is pretty much par for the course :( > > We don't call SSL_CTX_set_default_verify_paths(), so the SSL_CERT_FILE > environment variable isn't recognized. Yes, > SSL_CTX_set_default_verify_paths() isn't documented. ;)
In ftp(1), yes, but many other programs using OpenSSL do honour this. (/me now proceeds to do his occasional review of crypto libraries to see if there's anything other than OpenSSL, in C, from !USA, with the right license...well I can dream ;)
