From: Eric Wong <normalperson@yhbt.net>
To: kgio@librelist.com
Subject: Re: Like OpenSSL::SSL::SSLSocket#connect_nonblock
Date: Tue, 10 Apr 2012 20:26:44 +0000 [thread overview]
Message-ID: <20120410202644.GE25426@dcvr.yhbt.net> (raw)
In-Reply-To: CALiegfnHmfjeW_EbPKwKDS12HS48eh9VBYf2p=430P_uqj-ohA@mail.gmail.com
Iñaki Baz Castillo <ibc@aliax.net> wrote:
> 2012/4/9 Iñaki Baz Castillo <ibc@aliax.net>:
> > Hi Eric, the doc says:
> >
> > -------------------
> > Kgio::SSLConnector
> > Like Kgio::SSL, but for SSL/TLS clients that connect to clients, not
> > SSL/TLS servers.
> > -------------------
> >
> > So, if the doc wrong? maybe it should say:
> >
> > "Like Kgio::SSL, but for SSL/TLS clients that connect to *servers*,
> > not SSL/TLS servers."
> >
> > :)
Correct, can you send a patch for this?
> -------------------
> Kgio::SSLConnector.new(io, ssl_ctx, hostname, session = nil)
>
> Initializes and SSL/TLS client socket. Like Kgio::SSL.new, except
> hostname is required for verification and session may be specified as
> an OpenSSL::SSL::Session object.
> -------------------
>
>
> Two points:
>
> 1) The doc should say "Initializes an SSL/TLS client socket." :)
Also correct, patch? :)
> 2) What does it mean "hostname is required for verification"? I hope
> it does not mean that "hostname" is a required argument and it's
> matched against the CommonName field in the server certificate. That
> would be a really ugly limitation of certificate validation since
> there are other ways to validate a certificate (i.e. SubjectAltName
> fields).
(I'm not remotely close to being an SSL expert, and kgio-monkey includes
plenty of disclaimers :)
The hostname should be matched against CommonName and/or SubjectAltName
kgio-monkey calls SSL_set_tlsext_host_name() and
OpenSSL::SSL.verify_certificate_identity (for SubjectAltName), so one of
the methods for handling hostname verification _should_ work.
next prev parent reply other threads:[~2012-04-10 20:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-06 21:50 Like OpenSSL::SSL::SSLSocket#connect_nonblock Iñaki Baz Castillo
2012-04-09 3:22 ` Eric Wong
2012-04-09 18:31 ` Iñaki Baz Castillo
2012-04-09 18:44 ` Iñaki Baz Castillo
2012-04-10 20:26 ` Eric Wong [this message]
2012-04-10 20:50 ` Iñaki Baz Castillo
2012-04-10 21:02 ` Eric Wong
2012-04-10 21:55 ` Iñaki Baz Castillo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/kgio/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120410202644.GE25426@dcvr.yhbt.net \
--to=normalperson@yhbt.net \
--cc=kgio@librelist.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhbt.net/kgio.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).