From: "Iñaki Baz Castillo" <ibc@aliax.net>
To: kgio@librelist.com
Subject: Re: Like OpenSSL::SSL::SSLSocket#connect_nonblock
Date: Tue, 10 Apr 2012 22:50:30 +0200 [thread overview]
Message-ID: <CALiegfmfTU1YudEpm4oywtRtz+Amca4jyR5JizTLd6fCUw4UgA@mail.gmail.com> (raw)
In-Reply-To: 20120410202644.GE25426@dcvr.yhbt.net
[-- Attachment #1: Type: text/plain, Size: 1778 bytes --]
Hi, I include a patch fixing the doc typos. More inline:
2012/4/10 Eric Wong <normalperson@yhbt.net>:
>> 2) What does it mean "hostname is required for verification"? I hope
>> it does not mean that "hostname" is a required argument and it's
>> matched against the CommonName field in the server certificate. That
>> would be a really ugly limitation of certificate validation since
>> there are other ways to validate a certificate (i.e. SubjectAltName
>> fields).
>
> (I'm not remotely close to being an SSL expert, and kgio-monkey includes
> plenty of disclaimers :)
>
> The hostname should be matched against CommonName and/or SubjectAltName
This is not entirely true. It is much more complex ;)
I'll show you some code I wrote for my SIP proxy. It's a Ruby script
that gets the SIP identities (domains) in a X.509 certificate (PEM
format). The script output is self descriptive.
I also attach two certificates:
- oversip.net.crt: A certificate created by me with cool SIP
identities in SubjectAltName.
- github.crt: The certificate from github.com.
Run the script passing as argument each certificate ;)
And note this is just for SIP world, maybe in XMPP it's different, or
in HTTP or whatever. Each protocol specification defines how a server
certificate must be checked.
> kgio-monkey calls SSL_set_tlsext_host_name() and
> OpenSSL::SSL.verify_certificate_identity (for SubjectAltName), so one of
> the methods for handling hostname verification _should_ work.
Hummmm... not sure ;)
Well, I will be much more happy if I can set the certification
validation callback my itself ;)
I've worked too much (yet) with Ruby OpenSSL bindings, but I hope that
it does allow setting my own verification method.
Regards.
--
Iñaki Baz Castillo
<ibc@aliax.net>
next prev parent reply other threads:[~2012-04-10 20:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-06 21:50 Like OpenSSL::SSL::SSLSocket#connect_nonblock Iñaki Baz Castillo
2012-04-09 3:22 ` Eric Wong
2012-04-09 18:31 ` Iñaki Baz Castillo
2012-04-09 18:44 ` Iñaki Baz Castillo
2012-04-10 20:26 ` Eric Wong
2012-04-10 20:50 ` Iñaki Baz Castillo [this message]
2012-04-10 21:02 ` Eric Wong
2012-04-10 21:55 ` Iñaki Baz Castillo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/kgio/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALiegfmfTU1YudEpm4oywtRtz+Amca4jyR5JizTLd6fCUw4UgA@mail.gmail.com \
--to=ibc@aliax.net \
--cc=kgio@librelist.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhbt.net/kgio.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).