Metriche repository
- Star
- (30.157 star)
- Metriche merge PR
- (Nessuna PR mergiata in 30 g)
Descrizione
Apologies if this is a duplicate issue: I did search but couldn't find it maybe due to the wrong keywords.
Right now the basic SSL_CTX_new, SSL_new, SSL_connect series of functions doesn't authenticate the server properly, or set up SNI. To do this right requires creating an X509 verification context, configuring it, then setting the SSL to use it. People get this wrong.
Other libraries do this right: Go has tls.Dial("tcp", "www.example.com:443", nil) that Just Works (tm), and can be easily configured through the third argument. Obviously harder in in C.
What I think we want (and happy to get corrected) is SSL_set_expected_servername(SSL *s, unsigned char *dnsname) that does this whole dance for the user. This will dramatically improve the security ordinary programmers get when using OpenSSL.