Re: [xml] SSL/TLS support



Hi, Igor!

After quick look at the code I have few notes:
1) the rand generation seed (a very important part of SSL initialization) is missed
    (http://www.openssl.org/docs/ssl/SSL_library_init.html#):

> A typical TLS/SSL application will start with the library initialization,
       > will provide readable error messages and will seed the PRNG.

       > SSL_load_error_strings();
       > SSL_library_init();
       > actions_to_seed_PRNG();
2) the trusted CA's and private key to use locations are not specified. It is not a required step but it's recommended to have an ability to specify these parameters. One possible option is to check env variables. For example, take a look at this sample code: http://groups.google.com/groups?q=openssl+%22client+example%22&hl=en&lr=&ie=UTF8&oe=UTF8&selm=a5646e%24aee%241%40FreeBSD.csie.NCTU.edu.tw&rnum=1 3) if we have a dependency on the OpenSSL then I suggest to use OpenSSL BIO_ssl(). It hides almost all SSL specific stuff and very simple to use. Take a look at the help page:
       http://www.openssl.org/docs/crypto/BIO_f_ssl.html
   There is an example as well.
4) if you need an example of how to find OpenSSL please take a look at XMLSec library
   configuration script. it works very well :)

I'll run your code tomorrow and report any problems I'll find:)

Aleksey.


Igor Zlatkovic wrote:

Hello everyone,

Following the example given by my Lord Mark of the Vakoc :-), I have brought
the SSL/TLS support somewhat further towards the integration into the source
base.

Here are two things. The one is what Mark has produced, which is the SSL/TLS
support using Windows native API. The second one is SSL/TLS through OpenSSL.

The native support on Windows is controlled through a LIBXML_HTTPS_WININET
macro. Windows configuration script takes care of setting or unsetting this
(not included in the attached diff). The necessary code change affects
xmlIO.c

The OpenSSL support should be available on all platforms where openssl and
libxml work. This thing is controlled through HAVE_OPENSSL_SSL_H macro, as
<openssl/ssl.h> is the only header file needed for this mess. The affected
files are nanohttp.c and xmlIO.c. However, I have problems with this one,
read on.

The attached diff contains the patch for both. This one should not be
applied now, it is just for review.

Now, the native Windows version works (although I have no idea what the
GSSBROWSER window might be... Mark?) quite good and does not depend on other
features. If noone objects on this, I would commit the necessary changes.

The OpenSSL support depends on nanoHttp and is not complete. I have two
problems with this one:
 * The secrets of automake/autoconf are beyond my present knowledge and I
don't know how to tweak this to check for existence of OpenSSL and define
HAVE_OPENSSL_SSL_H macro. Could someone help with this? :-)
 * Either I am missing something obvious, or my OpenSSL installation does
not tick correctly. The code as I made it should work, still there is an
error I cannot find. If someone finds a second or two, please check the
attached patch and tell me why does it timeout on select() after
SSL_connect() in xmlNanoHTTPMethodRedir() in nanohttp.c? Alexey, you
certainly know what is amiss, eh? If it is something trivial, have mercy, it
is my first hack with OpenSSL :-)

Ciao
Igor






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]