Hi Tobias,

That sounds like a good plan. To sum it up, the only difference to the 
current version is that the plugin will verify server names as well (this 
is something OpenSSL doesn't support out of box, but it has all the tools 
necessary to do).
So a), b) and c) are all image-side changes. I'm not sure if we need c) at 
all, because we can simply signal a resumable error when the certificate 
chain fails to be verified by the plugin, and let you, the user, handle 
that error when necessary.

Levente

On Thu, 20 Aug 2015, Tobias Pape wrote:

> Hi again
> (hi sven)
>
> On 02.06.2015, at 05:56, Levente Uzonyi <leves at elte.hu> wrote:
>
>> Hi David,
>>
>> There's a debate about how SAN certificates - and server name verification in general - should be handled[1][2].
>> I tend to agree with Tobias on verifying the server name in the plugin, but getting there will require further efforts - especially on the unix platform.
>>
>> While this version solves a particular case, and is backwards compatible on the image side, I think we should look for a better, more general solution.
>
> I have sketched an Idea how to handle verification in SqueakSSL in general (and briefly presented to Bert),
> I'm not yet sure, however, and I'm on vacation the next two weeks. But after
> that I'd like to spark a discussion (hoepfully including Sven, for Zodiac) that will involve:
>
> a) no manual verification. Period.
> b) fail on non-verification.
> c) optional 'unverified' mode that has to be requested explicitly
> d) Moving the Unix platform code to libtls (easier to understand)
>
> That's my 2ct for now, more in September.
>
> Best regards
> 	-Tobias
>
>
>
>>
>> Levente
>>
>> [1] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184613.html
>> [2] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184631.html
>>
>> On Mon, 1 Jun 2015, David T. Lewis wrote:
>>
>>>
>>> Hi Levente,
>>>
>>> Regarding your VM changes for SqueakSSL, shall I commit these to the SVN
>>> trunk repository? Ian delegated access to platforms/unix so that I can do
>>> that for you if you like.
>>>
>>> We have several Mantis entries to track your SqueakSSL work:
>>>
>>> http://bugs.squeak.org/view.php?id=7751 (Add SSL plugin)
>>> http://bugs.squeak.org/view.php?id=7793 (Memory leak in the SqueakSSL plugin on unix)
>>> http://bugs.squeak.org/view.php?id=7824 (Add TLS SNI Server Name Indication support to SqueakSSL plugin)
>>>
>>> Your latest version http://leves.web.elte.hu/squeak/SqueakSSL/ adds
>>> the SAN certificates support, so I think we should commit your latest
>>> version and close the Mantis issues.
>>>
>>> If you agree I will update the SVN files.
>>>
>>> Thanks,
>>> Dave
>>>
>>> p.s. There are still issues in SqueakSSL when sizeof(sqInt) is 8
>>> (64 bit images) but that is a separate discussion.
>>>
>>>
>>>
>>> On Tue, May 26, 2015 at 11:55:42PM +0200, Levente Uzonyi wrote:
>>>> Hi All,
>>>>
>>>> I've implemented support for reading the domain names from the
>>>> certificate's SAN extension[1] in SqueakSSL.
>>>> The image side code is in the Inbox[2]. It is backwards compatible --
>>>> everything works as before without the VM changes.
>>>> I've also uploaded the modified files[3][4] for the unix platform, and a
>>>> diff[5] (which somehow doesn't include the changes of the .h file).
>>>>
>>>> The VM support code for other platforms are to be done.
>>>>
>>>> These changes fix the failing SqueakSSL test in the Trunk, so I suggest
>>>> including the .mcz file in the 4.6 release.
>>>>
>>>> Levente
>>>>
>>>> [1] https://en.wikipedia.org/wiki/SubjectAltName
>>>> [2]
>>>> http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184581.html
>>>> [3] http://leves.web.elte.hu/squeak/SqueakSSL/SqueakSSL.h
>>>> [4] http://leves.web.elte.hu/squeak/SqueakSSL/sqUnixOpenSSL.c
>>>> [5] http://leves.web.elte.hu/squeak/SqueakSSL/diff.txt
>
>
>
>