How to Use Secure Sockets in C on Linux

(netprivacypro.com)
42 points fairlight1337 | 8 comments | 17 Jun 24 07:09 UTC | HN request time: 1.037s | source | bottom
1. Rygian ◴[18 Jun 24 10:39 UTC] No.40716106[source]
I would have liked to see the logic on client side to decide if the certificate presented by the server is valid.
replies(2): >>40716985 #>>40719447 #
2. Retr0id ◴[18 Jun 24 12:26 UTC] No.40716985[source]
I'm a little surprised the OpenSSL API doesn't force you to consider this by default, but indeed it does not: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_new.html...

> On session establishment, by default, no peer credentials verification is done. This must be explicitly requested, typically using SSL_CTX_set_verify(3).

Aside: According to those docs, SSLv23_client_method() is deprecated.

replies(1): >>40717064 #
3. Icathian ◴[18 Jun 24 12:26 UTC] No.40716993[source]
This is a really nice part 1. I think a series building from this up to what would be considered "secure" in modern day, with the other topics already mentioned in comments here and on the article, would be awesome. I could easily see it becoming a very popular resource among students or new devs who are solving these problems for the first time themselves. The writing is very clear and concise.
4. Severian ◴[18 Jun 24 12:33 UTC] No.40717064{3}[source]
Yeah, not verifying server cert or OCSP/CRLs is a problem. DNS attacks can redirect and you'd be none the wiser.
5. ◴[18 Jun 24 12:40 UTC] No.40717129[source]
6. ranger_danger ◴[18 Jun 24 16:10 UTC] No.40719447[source]
The page was updated to include that.
replies(1): >>40727069 #
7. Rygian ◴[19 Jun 24 11:05 UTC] No.40727069{3}[source]
Well done!