After fiddling quite a bit, I have succeeded in handling self-signed
certificates in <https://github.com/benob/gemini>.
There were multiple tricks:
* Always activate certificate checking with SSL_VERIFY_PEER (client and
server).
* make sure the TLS handshake is finished before reading the certificate
(didn't find a better way than writing to the asyncsocket)
* use verify_callback to tell libssl that you accept self-signed certificates:
proc verify_callback*(preverify: int, x509_ctx: PX509_STORE_CTX): int
{.cdecl.} =
let err = X509_STORE_CTX_get_error(x509_ctx)
#echo "err: " & $err
if err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT or err ==
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
return 1
return preverify
Run
I think that asyncnet would benefit from a getter for sslHandle to talk
directly with libssl, and from a way to make sure the handshake is completed.
In particular, getPeerCertificates(sslhandle) in net might have a bug in that
regard. I'll create issues for that.
