aristidb
commented
13 years ago It does not check certificates? That is bad! Does that depend on whether you use tls or HsOpenSSL?
Closed iustin closed 13 years ago
aristidb
commented
13 years ago It does not check certificates? That is bad! Does that depend on whether you use tls or HsOpenSSL?
snoyberg
commented
13 years ago I've put in a request for the tls package to expose certificate functionality. Hopefully this will make it into http-enumerator 0.4
snoyberg
commented
13 years ago Upon further inspection, the code is already available in tls. I've added a field checkCerts to the Request datatype. Does this resolve the issue?
iustin
commented
13 years ago I would say that this is the minimum needed to implement checking. If I read that commit correctly, one will have to use parseUrl2, then update the request with their own checkCerts. This is good.
However, I believe that what most people will do is reimplement this: "given these CA certificates, and this hostname, does the subjectDN match the hostname and is signed by a valid CA?" but forget to do proper checking of corner cases (CertKeyUsage, etc.). So probably the certificate package should expose some helpers for common cases.
Anyway, this does not belong in http-enumerator, so I think this bug can be closed. Thanks a lot!
snoyberg
commented
13 years ago And thank you for recommending the feature.
I couldn't find out how I can control the SSL certificate verification:
As opposed to:
Could you please either document this or implement it?
thanks! iustin