Hello all, This is my first posting to a mailing list in quite some time, so I apologize in advance if this isn't the proper venue or I mess something up.
I'm working on an OpenSSL project, and I could use some help. I am writing a library which will be loaded into the environment via LD_PRELOAD which will take calls to SSL_get_verify_result and as opposed to verifying them against the CA tree, will use Marlinspike's Convergence system to perform certificate validation (similar to libval_shim for some DNS functions). I have a very small proof of concept of this working, yet I've run into some issues. I have the following questions: 1) Is this a architecturally a bad idea? I understand writing code like this is exceptionally tricky, and plan to open source all of it for peer review, and slap huge caveats on it about how it has not beed tested, but fundamentally is there anything wrong with this approach? 2) The biggest question I have, is for this to work well I need to be able to get the hostname and port from the SSL object that gets passed into SSL_get_verify_result. I've found sometimes this is available in ssl->rbio->ptr->param_hostname/param_port, and it looks like other times it might be available in ssl->tlsext_hostname, but it doesn't seem to be standard. Is there anywhere where I can reliably find the hostname and port from the SSL object (or a few places that it would be in one of?). I understand this isn't using the API and could potentially break from upgrades, but to a certain extent if you're using an LD_PRELOAD shim you don't have a reasonable expectation of compatibility... Additionally, if this data isn't located anywhere I can access, I can grab the hostname out of the x509 certificate sometimes (obviously I would lose the port number, and dealing with wildcard certificates would be a huge PITA, but it's doable) 3) Right now Im grabbing the certificate using SSL_get_peer_certificate(), then looking at its sha1_hash field, but I'm noticing that for a cert I generated and signed using the demoCA.pl script, the hash is null. I presume I did something wrong, but I'm not sure what. This is a smaller thing, but I was curious. If you have any other tips or things you think I should be aware of, please feel free to let me know. Thank you very much for your time and help, Joe
smime.p7s
Description: S/MIME cryptographic signature