Verify the TLS connection's peer.
authorWerner Koch <wk@gnupg.org>
Thu, 3 Apr 2014 11:33:28 +0000 (13:33 +0200)
committerWerner Koch <wk@gnupg.org>
Thu, 3 Apr 2014 11:33:28 +0000 (13:33 +0200)
commit47c419c66081b056a13f2a6d7dfb29c6d304cff4
tree77f0749ccdf1a82e68037542b272afed4db50da1
parent1eb7b85218e1a1fa9932b5a3ca8560803837d2e5
Verify the TLS connection's peer.

* src/http.c (http_session_s): Add fields verify and servername.
(tls_ca_certlist): New.
(http_register_tls_ca): New.
(http_session_new): Set the CA certs into the credentials.
(send_request): Store the servername.
(http_verify_server_credentials): New.
* src/t-http.c (main): Register CAs.
(verify_callback): Call the new verify function.
* src/tlssupport.c (verify_callback): Ditto.
* src/tls-ca.pem: New.
--

We should implement a better system than to read the CA certs from the
file every time.  Keeping default credentials object would thus be
useful.

tls-ca.pem has certificates for stripe.com.  They use different root
CA and even a 1014 bit one.  The whole PKIX is anyway broken, so who
cares.  I considered to check just the fingerprint of the actual
certificate but that won't allow for an easy certificate replacement
.gitignore
src/Makefile.am
src/http.c
src/http.h
src/t-http.c
src/tls-ca.pem [new file with mode: 0644]
src/tlssupport.c