Re: Planning to roll out a new version tomorrow from jose.kahan@w3.org on 2000-08-03 (www-lib@w3.org from July to September 2000)

From: <jose.kahan@w3.org>
Date: Thu, 3 Aug 2000 17:33:25 +0200 (MET DST)
To: www-lib@w3.org
Message-Id: <200008031533.RAA03431@tuvalu.inrialpes.fr>

Hello Ajay,

Thanks for your report.

In our previous episode, Ajay Shekhawat said:

> I just downloaded the latest CVS snapshot (mainly because the release
> version wasn't working either), and I find that SSL support seems to be
> broken.

I think I found the problem. By default, libwww-ssl uses the highest available
protocol (TLSv1), unless the protocol is explicitly set up. I changed the
example so that it sets the protocol to HTSSL_V23. This allows the client and
the server to negotiate the protocol level (SSLv3, SSLv2, or TLSv1).

The other problem concerns the verification depth. In HTSSL.c, there's
a function called verify_callback that returns 1 or 0 depending on the
depth of certificate verification. This function comes in fact from a
sample openssl application. 

The problem is that The certificate that the server is sending
back is a self-sealed certificate and it has depth of 1. Because this is
greater than the default depth, the verify_callback returns an error
saying that the certificate chain is too long.

By test and trial, I noticed that the openssl sclient application is
using a depth of 1. My solution was then to extend the libwww-ssl API to be 
able to change the depth and set it to 1 in the wwwssl example.

This let's me get past the certificate verification when accesing the
https://trading.etrade.com/ URL. However, the server sent me  back a 500. This
doesn't concern libwww, but the server, as I got the same error using the 
openssl sclient.

The new API functions are:

	HTSSL_verifyDepth_set ()
	HTSSL_verifyDepth ()

All is commited to CVS.

-----

BTW, A test URL I use is the fortify SSL client test:

$ cd libwww-test/Library/Examples
$ ./wwwssl https://www.fortify.net/cgi-bin/ssl_2

The result of this is an HTML document, stored in a file called get.out.
An extract of the test says:

	You have connected to this web server using the EDH-RSA-DES-CBC3-SHA
	encryption cyper with a secret key length of 168 bits.

-Jose

Received on Thursday, 3 August 2000 11:33:30 UTC