Re: Querying the GNUTLS session from libsoup



On 02/18/2011 03:47 PM, Nick wrote:
> Hi there,
> 
> I've recently started hacking on a project which uses libsoup. I
> want to do more than the ssl-ca-file & ssl-strict do regarding
> accepting secure connections. To be more specific, I want to allow
> an SSL whitelist, based on hostname and fingerprint.
> 
> To do this I need to find the certificate's fingerprint. This is
> reasonably simple from GNUTLS, using gnutls_certificate_get_peers,
> gnutls_x509_crt_init and gnutls_x509_crt_get_fingerprint. However,
> this requires that I have access to the gnutls_session pointer,
> which libsoup currently keeps as a private part of SoupSession.

There's no way to do this in the current stable version of libsoup. You
can do it in libsoup 2.33 (which will become libsoup 2.34 and be
released as part of GNOME 3.0 in a month). A SoupMessage attached to a
TLS connection will have a "tls-certificate" property, which is a
GTlsCertificate. (You can use soup_message_get_https_status() to fetch
that, or use g_object_get().) The GTlsCertificate is opaque-ish, but you
can get the raw DER data out of it via its "certificate" property, and
then you can pass that to gnutls and then do whatever you want with it.

-- Dan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]