On 10-12-12 08:36, Nick Mathewson wrote: > On Sat, Dec 8, 2012 at 6:03 AM, Patrick Pelletier <[email protected]> > wrote: > >> However, it's not clear to me how to work the validation function >> (validate_hostname) into evhttp's control flow. It seems that I would need >> to call validate_hostname after the TLS handshake occurs, but before evhttp >> starts transferring data. But, I don't know how to get evhttp to hand over >> control to me at that time, so I can call validate_hostname. > > I might be missing something, but have you looked at > SSL_CTX_set_verify and SSL_CTX_set_verify_callback? It would appear > that openssl lets you pass it a function to be used to help validating > certificates. > > yrs, >
The SSL_CTX_set_verify and SSL_CTX_set_verify_callback are used to validate
the certificate (chain) itself. Useful when OpenSSL triggers a
false-negative on a certificate chain, you have your own extensions build-in
the certificate (think: Microsoft PKI in their deployments or RFC3281).
The original question seems to be how to implement RFC2818 with libevent's
evhttp.
The moment to do this:
...
- SSL_connect() returns without a failure
- <here and other post SSL connect checks>
- continue handing over the (SSL *)
...
I don't know the answer to this question as I've used libevent's evhttp and
libevhtp only on the server side without the need for machine to machine
mutual auth (until now).
As I read libevent you need to have reached the state BUFFEREVENT_SSL_OPEN
and before you tie the buffers together you need to have performed this
check to do the RFC2818.
Oscar
smime.p7s
Description: S/MIME Cryptographic Signature
