Re: [xml] SSL/TLS support
- From: Igor Zlatkovic <igor stud fh-frankfurt de>
- To: "Aleksey Sanin" <aleksey aleksey com>
- Cc: <xml gnome org>
- Subject: Re: [xml] SSL/TLS support
- Date: Mon, 20 May 2002 18:22:11 +0200
Hi Alexey,
those points are correct, that is true. In this stage, my intention was
simply to fetch documents through a SSL channel, not to improve the
transport security in any way. Therefore, I didn't care about initialising
the random generator, nor did I pay attention to the validity or revocation
of the server's certificate. Those things would come later, if SSL comes
into libxml at all.
Ciao
Igor
Hi, Igor!
After quick look at the code I have few notes:
1) the rand generation seed (a very important part of SSL
initialization) is missed
(http://www.openssl.org/docs/ssl/SSL_library_init.html#):
> A typical TLS/SSL application will start with the library
initialization,
> will provide readable error messages and will seed the PRNG.
> SSL_load_error_strings();
> SSL_library_init();
> actions_to_seed_PRNG();
2) the trusted CA's and private key to use locations are not
specified. It is not a required
step but it's recommended to have an ability to specify these
parameters. One possible
option is to check env variables. For example, take a look at this
sample code:
http://groups.google.com/groups?q=openssl+%22client+example%22&hl=en&lr=&ie=
UTF8&oe=UTF8&selm=a5646e%24aee%241%40FreeBSD.csie.NCTU.edu.tw&rnum=1
3) if we have a dependency on the OpenSSL then I suggest to use
OpenSSL BIO_ssl().
It hides almost all SSL specific stuff and very simple to use. Take
a look at the help page:
http://www.openssl.org/docs/crypto/BIO_f_ssl.html
There is an example as well.
4) if you need an example of how to find OpenSSL please take a look
at XMLSec library
configuration script. it works very well :)
I'll run your code tomorrow and report any problems I'll find:)
Aleksey.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
