(netprivacypro.com)

42 points fairlight1337 | 5 comments | 17 Jun 24 07:09 UTC | HN request time: 0.427s | source

1. Rygian ◴[18 Jun 24 10:39 UTC] No.40716106[source]▶

I would have liked to see the logic on client side to decide if the certificate presented by the server is valid.

replies(2): >>40716985 #>>40719447 #

2. Retr0id ◴[18 Jun 24 12:26 UTC] No.40716985[source]▶

I'm a little surprised the OpenSSL API doesn't force you to consider this by default, but indeed it does not: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_new.html...

> On session establishment, by default, no peer credentials verification is done. This must be explicitly requested, typically using SSL_CTX_set_verify(3).

Aside: According to those docs, SSLv23_client_method() is deprecated.

replies(1): >>40717064 #

3. Severian ◴[18 Jun 24 12:33 UTC] No.40717064[source]▶

>>40716985 #

Yeah, not verifying server cert or OCSP/CRLs is a problem. DNS attacks can redirect and you'd be none the wiser.

4. ranger_danger ◴[18 Jun 24 16:10 UTC] No.40719447[source]▶

>>40716106 (TP) #

The page was updated to include that.

replies(1): >>40727069 #

5. Rygian ◴[19 Jun 24 11:05 UTC] No.40727069[source]▶

>>40719447 #

Well done!

↑

How to Use Secure Sockets in C on Linux