On Thu, Nov 01, 2012 at 02:14:29PM +0100, Michal Suchanek wrote: > Excerpts from Kurt Roeckx's message of Wed Oct 31 20:07:31 +0100 2012: > > On Wed, Oct 31, 2012 at 07:37:25PM +0100, Michal Suchanek wrote: > > > Package: openssl > > > Version: 1.0.1c-4 > > > Severity: important > > > > > > Hello, > > > > > > I tried to get certificate validation working in an application using > > > OpenSSL. > > > > > > I added to call the verification routine and it rejects invalid > > > certificates all right but forwarding the server connection through > > > local inetd+nc does not produce an error. > > > > > > Looking for working applications I tried openssl s_client and it > > > verifies the hijacked connection too. > > > > s_client should properly verify the result, and show you that > > there is an error. It will then continue even when the > > verifications fails. See the manual. > > Yes, the verify result is 0 as is in my test application. > No error is reported. > > > > > > Is there any example of application using openssl that can correcly > > > verify server certificates at all? > > > > As far as I know curl at least curl does the right thing by > > default. > > It uses gnutls so that's not surprising. gnutls has well documented > interface for that.
curl can be linked against either openssl, gnutls or nss. libcurl3 is linked against openssl. You need to make sure you're using libcurl3-gnutls or libcurl3-nss if you don't want to use openssl. > > See the SSL_get_verify_result() man page. > > Yes, that I do and get no error. So why do you expect it to give an error? Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
