(netprivacypro.com)

42 points fairlight1337 | 2 comments | 17 Jun 24 07:09 UTC | HN request time: 0.408s | source

Show context

Rygian ◴[18 Jun 24 10:39 UTC] No.40716106[source]▶

I would have liked to see the logic on client side to decide if the certificate presented by the server is valid.

replies(2): >>40716985 #>>40719447 #

1. Retr0id ◴[18 Jun 24 12:26 UTC] No.40716985[source]▶

I'm a little surprised the OpenSSL API doesn't force you to consider this by default, but indeed it does not: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_new.html...

> On session establishment, by default, no peer credentials verification is done. This must be explicitly requested, typically using SSL_CTX_set_verify(3).

Aside: According to those docs, SSLv23_client_method() is deprecated.

replies(1): >>40717064 #

2. Severian ◴[18 Jun 24 12:33 UTC] No.40717064[source]▶

>>40716985 (TP) #

Yeah, not verifying server cert or OCSP/CRLs is a problem. DNS attacks can redirect and you'd be none the wiser.

↑

How to Use Secure Sockets in C on Linux