- From: <jose.kahan@w3.org>
- Date: Thu, 3 Aug 2000 17:33:25 +0200 (MET DST)
- To: www-lib@w3.org
Hello Ajay, Thanks for your report. In our previous episode, Ajay Shekhawat said: > I just downloaded the latest CVS snapshot (mainly because the release > version wasn't working either), and I find that SSL support seems to be > broken. I think I found the problem. By default, libwww-ssl uses the highest available protocol (TLSv1), unless the protocol is explicitly set up. I changed the example so that it sets the protocol to HTSSL_V23. This allows the client and the server to negotiate the protocol level (SSLv3, SSLv2, or TLSv1). The other problem concerns the verification depth. In HTSSL.c, there's a function called verify_callback that returns 1 or 0 depending on the depth of certificate verification. This function comes in fact from a sample openssl application. The problem is that The certificate that the server is sending back is a self-sealed certificate and it has depth of 1. Because this is greater than the default depth, the verify_callback returns an error saying that the certificate chain is too long. By test and trial, I noticed that the openssl sclient application is using a depth of 1. My solution was then to extend the libwww-ssl API to be able to change the depth and set it to 1 in the wwwssl example. This let's me get past the certificate verification when accesing the https://trading.etrade.com/ URL. However, the server sent me back a 500. This doesn't concern libwww, but the server, as I got the same error using the openssl sclient. The new API functions are: HTSSL_verifyDepth_set () HTSSL_verifyDepth () All is commited to CVS. ----- BTW, A test URL I use is the fortify SSL client test: $ cd libwww-test/Library/Examples $ ./wwwssl https://www.fortify.net/cgi-bin/ssl_2 The result of this is an HTML document, stored in a file called get.out. An extract of the test says: You have connected to this web server using the EDH-RSA-DES-CBC3-SHA encryption cyper with a secret key length of 168 bits. -Jose
Received on Thursday, 3 August 2000 11:33:30 UTC