New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL client certificate support #474

Merged
merged 2 commits into from Jan 21, 2014

Conversation

Projects
None yet
2 participants
@klickverbot
Contributor

klickverbot commented Jan 20, 2014

I needed support for SSL client certificates in my server application, so here is an initial patch. The host name/IP address verification/documentation issue is not tackled by this patch yet, as I don't really need it in my application.

klickverbot added some commits Jan 17, 2014

SSLContext: Added support for CA-based certificate verification.
This is enough to implement a server that requires client
certificates resp. a client that connects to such a server.
@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Jan 21, 2014

Member

I'll add the full verification bit by bit. It's possible that the verifyPeer property will be replaced in the process by some kind of user callback (at least that was my initial idea, but I don't yet have a full overview of the problem domain).

Member

s-ludwig commented Jan 21, 2014

I'll add the full verification bit by bit. It's possible that the verifyPeer property will be replaced in the process by some kind of user callback (at least that was my initial idea, but I don't yet have a full overview of the problem domain).

s-ludwig added a commit that referenced this pull request Jan 21, 2014

Merge pull request #474 from klickverbot/ssl
SSL client certificate support

@s-ludwig s-ludwig merged commit 7fcb4e6 into vibe-d:master Jan 21, 2014

@klickverbot klickverbot deleted the klickverbot:ssl branch Jan 21, 2014

@klickverbot

This comment has been minimized.

Show comment
Hide comment
@klickverbot

klickverbot Jan 21, 2014

Contributor

@s-ludwig: Yep. A snippet from the related code in Thrift: https://gist.github.com/klickverbot/8544161 (this is run after the handshake has been completed, so I think the first few calls should never fail, but better be safe…). The access manger allows the user to customize the verification behavior. However, the interface only exposes the host name; for vibe.d, you might want to offer more options.

Contributor

klickverbot commented Jan 21, 2014

@s-ludwig: Yep. A snippet from the related code in Thrift: https://gist.github.com/klickverbot/8544161 (this is run after the handshake has been completed, so I think the first few calls should never fail, but better be safe…). The access manger allows the user to customize the verification behavior. However, the interface only exposes the host name; for vibe.d, you might want to offer more options.

@klickverbot

This comment has been minimized.

Show comment
Hide comment
@klickverbot

klickverbot Jan 21, 2014

Contributor

@s-ludwig: (Also note that SSL_CTX_set_verify optionally takes a callback parameter which can be used to directly hook the customized verification process into the SSL handshake procedure. The interface is rather clunky though, so Thrift just runs the checks after the connection has been established, which might not be optimal.)

Contributor

klickverbot commented Jan 21, 2014

@s-ludwig: (Also note that SSL_CTX_set_verify optionally takes a callback parameter which can be used to directly hook the customized verification process into the SSL handshake procedure. The interface is rather clunky though, so Thrift just runs the checks after the connection has been established, which might not be optimal.)

@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Feb 8, 2014

Member

Just to remember: I've started a branch a while ago, which should be more or less done apart from the API: https://github.com/rejectedsoftware/vibe.d/commits/sslverify

I've postponed the host name verification until after the initial handshake for now, because getting the immediate certificate seems to be a bit awkward from within the validation callback and would need some careful verification.

Member

s-ludwig commented Feb 8, 2014

Just to remember: I've started a branch a while ago, which should be more or less done apart from the API: https://github.com/rejectedsoftware/vibe.d/commits/sslverify

I've postponed the host name verification until after the initial handshake for now, because getting the immediate certificate seems to be a bit awkward from within the validation callback and would need some careful verification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment