New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate validation and SNI extension support for axTLS #362

Merged
merged 16 commits into from Jul 18, 2018

Conversation

Projects
None yet
2 participants
@qykth-git
Copy link
Contributor

qykth-git commented Jul 16, 2018

This pull request adds certificate validation and SNI extension support for axTLS.

Note:
Because of limitation of axTLS, some HTTPS server will not works well that the server uses wrong certificates.

@shirok

This comment has been minimized.

Copy link
Owner

shirok commented Jul 18, 2018

Thanks. I'll take them as they are and take a look.

@shirok shirok merged commit 4b360e8 into shirok:master Jul 18, 2018

@shirok

This comment has been minimized.

Copy link
Owner

shirok commented Jul 18, 2018

To avoid breaking existing code, I set the default behavior of rfc.https and rfc.tls as follows:

  • If --with-ca-bundle isn't specified at the configuration time, tls-ca-bundle-path gets #f as the default value.
  • When https connection is asked and tls-ca-bundle-path is #f, we allow axtls to connect without verification (for mbedtls it will raise an error anyway.)

It is desirable to verify certs always, so we'll gradually tighten the behavior (warning -> error by default).

@shirok

This comment has been minimized.

Copy link
Owner

shirok commented Jul 19, 2018

@qykth-git Do you have any ideas on this #365 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment