On Fri, 24 Oct 2014, Bernhard R. Link wrote:
> Hi,
>
> I hope this is the right list. If it is the wrong list I'd welcome a
> hint to the correct list.
tech@ is fine.
> Some suggestions for the ressl API:
>
> * Please consider making ressl_config_set_protocols accepting a string
> as option instead.
Already planned - ressl_config_set_protocols() will continue to require a set
of numeric flags, since it provides a way to be explicit. There will be a
utility function that takes a protocol string and returns the appropriate
flag values (or sets the flag values). This will likely allow both
additive/negative names (e.g. "+tls1.2" or "-sslv3") as well as groups
(e.g. "compat", "secure", etc).
> * Some way to override the name to be looked for in the certificate
> would be nice.
>
> Both to support speaking with broken/incomplete systems (wrong
> certificates, certificates not listing alternate interfaces and missing
> SNI, ..) and for monitoring (connecting to a specific host behind a
> loadblancer or behind DNS-round-robin and checking the certicate as
> it will be checked by real clients) a way to specify a different name
> to expect in the certificate would be nice.
If you call ressl_connect_socket() you already have this functionality via the
hostname argument. However, it might be worth adding as a configuration
option for the ressl_connect() case.
> (If using ressl directly one could always use ressl_connect_socket,
> but I guess most programs using it will only offer calling
> ressl_config_insecure_noverifyhost (or even only
> ressl_config_insecure_noverifycert)).
That will not help since ressl_connect_socket() still performs the
verification checks, unless they are explicitly disabled.
> * An option to only look at subjectAltName and not CN would be nice.
>
> If only to allow more paranoid monitoring checking if ssl clients
> not looking at CN can connect (or not looking at CN if there is
> subjectAltName).
This one seems a little strange. If you can specify a hostname for validation,
it is either in the CN, the SAN or both. I'm not sure that not matching the
CN makes sense in that case. Is there a use case that I'm missing?
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
