Re: ssl client certificates from Vic Bancroft on 2005-02-28 (www-lib@w3.org from January to March 2005)

From: Vic Bancroft <bancroft@america.net>
Date: Mon, 28 Feb 2005 00:01:15 -0500
To: Andrew Steets <steets@gmail.com>
CC: www-lib@w3.org
Message-ID: <4222A59B.5060508@america.net>
Andrew Steets wrote:

>Though I just realized that I made a change to an .h file and
>not the .html file so cvs is currently broken, also I broke
>"webbot -v w/ the last patch too :) Patch to fix is below.
>  
>
Easy enough, though it would be nice to generate the html from the source.

    Checking in Library/src/SSL/HTSSL.html;
    /sources/public/libwww/Library/src/SSL/HTSSL.html,v  <--  HTSSL.html
    new revision: 1.4; previous revision: 1.3
    done
    Checking in Robot/src/RobotMain.c;
    /sources/public/libwww/Robot/src/RobotMain.c,v  <--  RobotMain.c
    new revision: 1.15; previous revision: 1.14
    done

Moving around the "-v" option processing sort of brings up how handy 
getopt could be . . .

BTW, the log files only show a couple of things.  Had you noticed, either

    /usr/share/aclocal/gob2.m4:7: warning: underquoted definition of
    GOB2_HOOK
      run info '(automake)Extending aclocal'
      or see
    http://sources.redhat.com/automake/automake.html#Extending-aclocal

or

    HTRobot.c:403: warning: null argument where non-null required (arg 1)
    HTRobot.c:403: warning: null argument where non-null required (arg 2)
    HTRobot.c:403: warning: null argument where non-null required (arg 1)
    HTRobot.c:403: warning: null argument where non-null required (arg 1)
    HTRobot.c:403: warning: null argument where non-null required (arg 1)
    HTRobot.c:403: warning: null argument where non-null required (arg 2)
    HTRobot.c:403: warning: null argument where non-null required (arg 1)
    HTRobot.c:403: warning: null argument where non-null required (arg 2)

Not that we can do anything about the first one, but the "null 
arguement" one . . .

>So I also have some thoughts I'd like your opinion on.  The current
>libwww SSL does not verify anything other than the length of the cert
>chain from the server (the "verifydepth").  That is, it does _not_
>verify against any trusted CA certs or check activation/expiration
>dates or anything like that.  
>
Yes, it currently just does the very basic bit of function.

>According to <openssl/x509_vfy.h> there are nearly 30 reasons a server cert could be invalid and we only check one.  We are getting encryption, but not really any proper authentication.  
>
Is there a good way detect and report such authentication failures ?  

>I will have to tighten this up (in verify_callback()
>from HTSSL.c) for the particular application I have in mind, but I was
>curious if you know of a good way to do this and fit it in w/ the
>whole libwww scheme of things.
>  
>
Good question.  For example, how would we want to treat date range 
errors like,

    #define         X509_V_ERR_CERT_NOT_YET_VALID                   9      
    #define         X509_V_ERR_CERT_HAS_EXPIRED                     10
    #define         X509_V_ERR_CRL_NOT_YET_VALID                    11
    #define         X509_V_ERR_CRL_HAS_EXPIRED                      12

as differing from an invalid certificate authority like,

    #define         X509_V_ERR_INVALID_CA                           24

Is the error handling an application policy decision that might vary by 
use case ?

more,
l8r,
v
Received on Monday, 28 February 2005 05:22:10 UTC