Re: Like OpenSSL::SSL::SSLSocket#connect_nonblock

["Iñaki Baz Castillo" <ibc@aliax.net>]

[-- Attachment #1: Type: text/plain, Size: 1778 bytes --]

Hi, I include a patch fixing the doc typos. More inline:

2012/4/10 Eric Wong <normalperson@yhbt.net>:
>> 2) What does it mean "hostname is required for verification"? I hope
>> it does not mean that "hostname" is a required argument and it's
>> matched against the CommonName field in the server certificate. That
>> would be a really ugly limitation of certificate validation since
>> there are other ways to validate a certificate (i.e. SubjectAltName
>> fields).
>
> (I'm not remotely close to being an SSL expert, and kgio-monkey includes
>  plenty of disclaimers :)
>
> The hostname should be matched against CommonName and/or SubjectAltName

This is not entirely true. It is much more complex ;)

I'll show you some code I wrote for my SIP proxy. It's a Ruby script
that gets the SIP identities (domains) in a X.509 certificate (PEM
format). The script output is self descriptive.

I also attach two certificates:

- oversip.net.crt:  A certificate created by me with cool SIP
identities in SubjectAltName.
- github.crt: The certificate from github.com.

Run the script passing as argument each certificate ;)

And note this is just for SIP world, maybe in XMPP it's different, or
in HTTP or whatever. Each protocol specification defines how a server
certificate must be checked.




> kgio-monkey calls SSL_set_tlsext_host_name() and
> OpenSSL::SSL.verify_certificate_identity (for SubjectAltName), so one of
> the methods for handling hostname verification _should_ work.

Hummmm... not sure ;)

Well, I will be much more happy if I can set the certification
validation callback my itself ;)

I've worked too much (yet) with Ruby OpenSSL bindings, but I hope that
it does allow setting my own verification method.


Regards.



-- 
Iñaki Baz Castillo
<ibc@aliax.net>