Re: [Lynx-dev] SSL certificates

[Thorsten Glaser]

Thomas Dickey dixit:

>On Wed, Mar 29, 2006 at 08:23:45PM +0000, Thorsten Glaser wrote:
>> Hi people,
>> 
>> to add to all the traffic on the list... I've implemented full
>> SSL certificate validation taking into account wildcard certificates
>> (only if the wildcard is the first character, I feel it's more secure
>> this way) and multiple CNs in the DN (as employed by e.g. cacert.org).

>But if I
>see a patch, I'll add it to my to-do list...

It did take me a while *blush* but here you are... reviewed on
a DEC VT420 ;) and tested via ssh onto a GNU/Linux box (and of
course, weeks of testing as part of the MirOS BSD base system).

I have, by no means, validated whether the code allows "more
than it should", but it does what it promises: verify against
hosts with more than one CommonName in the DistinguishedName,
such as cacert.org, and handle leading asterisks in certifi-
cates well (I did not implement middle asterisks for securi-
ty reasons).

>>*) http://mirbsd.mirsolutions.de/cvs.cgi/src/etc/ssl.certs.shar?rev=HEAD
>>   Please feel free to use them. These are the certificates from MSIE 5
>>   on Win2k, some Netscape, plus CAcert.org; old or invalid certificates
>>   removed or (when applicable, e.g. Thawte Root Rollover) updated. I do
>>   of course not warrant they're correct, but that's the "standard set"
>>   trusted by "the others" too.

Did anyone look at this?

bye,
//mirabile
-- 
> emacs als auch vi zum Kotzen finde (joe rules) und pine für den einzig
> bedienbaren textmode-mailclient halte (und ich hab sie alle ausprobiert). ;)
Hallooooo, ich bin der Holger ("Hallo Holger!"), und ich bin ebenfalls
... pine-User, und das auch noch gewohnheitsmäßig ("Oooooooohhh").  [aus dasr]

lydiff
Description: Text document