Re: Callback for cert verification
Date: Thu, 8 Jan 2009 00:55:53 +0100 (CET)
On Tue, 6 Jan 2009, Vitaliy Kulikov wrote:
Welcome to our merry little project!
> I am an engineer at Google, and this is my first email to this mailing list.
> I implemented item 7.6 of your "TODO" wish list ("Provide callback for cert
> verification"), and I would like to contribute my changes back to the
> project. Could someone point me to a list of instructions on how I can get
> my changes reviewed and submitted?
I think your description here is perfect to explain what the chances are, and
then you can just make a patch (cvs diff -u) and post it to this very list and
we'll give it a review and comments and you update the nits we find and repost
the new patch and when everything is fine and dandy we commit!
> First, I created an implementation-independent list of common SSL
> certificate error codes
> Second, I added code to save certificate [error] data as part of the
> 'ssl_connect_data' data structure every time a secure connection needs to be
> established and a new set of certificates is received from the server. I
> save every certificate in binary along with the encoding method (DER is the
> only encoding supported at the moment) and the certificate error data. If
> there are multiple certificates in the chain, I save them all (I have a
> hard-coded limit of 16 certificates per chain at the moment).
What is the purpose of the saving of the certs? Ah, is that because you
_first_ save them all and then call the verification callback(s)?
> Third, I provide a way for the client code to supply the stack with a
> callback function to be called every time a new chain of certificates
> is received and validated.
That sounds like something people have asked for. And done in a SSL-library
agnostic way is really cool!
All in all these sounds like cool additions/fixes. We're just about to enter a
two-week feature freeze so I would rather not commit anything like this until
after 7.19.3 is out, but we can still work out the details and get it
perfected in the mean time.
-- / daniel.haxx.seReceived on 2009-01-08