Re: [xml] SSL/TLS support

Hi Alexey,

those points are correct, that is true. In this stage, my intention was
simply to fetch documents through a SSL channel, not to improve the
transport security in any way. Therefore, I didn't care about initialising
the random generator, nor did I pay attention to the validity or revocation
of the server's certificate. Those things would come later, if SSL comes
into libxml at all.


Hi, Igor!

After quick look at the code I have few notes:
    1) the rand generation seed (a very important part of SSL
initialization) is missed

        > A typical TLS/SSL application will start with the library
        > will provide readable error messages and will seed the PRNG.

        > SSL_load_error_strings();
        > SSL_library_init();
        > actions_to_seed_PRNG();
    2) the trusted CA's and private key to use locations are not
specified. It is not a required
    step but it's recommended to have an ability to specify these
parameters. One possible
    option is to check env variables. For example, take a look at this
sample code:
    3) if we have a dependency on the OpenSSL then I suggest to use
OpenSSL BIO_ssl().
    It hides almost all SSL specific stuff and very simple to use. Take
a look at the help page:
    There is an example as well.
    4) if you need an example of how to find OpenSSL please take a look
at XMLSec library
    configuration script. it works very well :)

I'll run your code tomorrow and report any problems I'll find:)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]