[Vm-dev] Re: [squeak-dev] SqueakSSL + SAN certificates
Levente Uzonyi
leves at elte.hu
Tue Jun 2 03:56:46 UTC 2015
Hi David,
There's a debate about how SAN certificates - and server name
verification in general - should be handled[1][2].
I tend to agree with Tobias on verifying the server name in the plugin,
but getting there will require further efforts - especially on the unix
platform.
While this version solves a particular case, and is backwards compatible
on the image side, I think we should look for a better, more general
solution.
Levente
[1] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184613.html
[2] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184631.html
On Mon, 1 Jun 2015, David T. Lewis wrote:
>
> Hi Levente,
>
> Regarding your VM changes for SqueakSSL, shall I commit these to the SVN
> trunk repository? Ian delegated access to platforms/unix so that I can do
> that for you if you like.
>
> We have several Mantis entries to track your SqueakSSL work:
>
> http://bugs.squeak.org/view.php?id=7751 (Add SSL plugin)
> http://bugs.squeak.org/view.php?id=7793 (Memory leak in the SqueakSSL plugin on unix)
> http://bugs.squeak.org/view.php?id=7824 (Add TLS SNI Server Name Indication support to SqueakSSL plugin)
>
> Your latest version http://leves.web.elte.hu/squeak/SqueakSSL/ adds
> the SAN certificates support, so I think we should commit your latest
> version and close the Mantis issues.
>
> If you agree I will update the SVN files.
>
> Thanks,
> Dave
>
> p.s. There are still issues in SqueakSSL when sizeof(sqInt) is 8
> (64 bit images) but that is a separate discussion.
>
>
>
> On Tue, May 26, 2015 at 11:55:42PM +0200, Levente Uzonyi wrote:
>> Hi All,
>>
>> I've implemented support for reading the domain names from the
>> certificate's SAN extension[1] in SqueakSSL.
>> The image side code is in the Inbox[2]. It is backwards compatible --
>> everything works as before without the VM changes.
>> I've also uploaded the modified files[3][4] for the unix platform, and a
>> diff[5] (which somehow doesn't include the changes of the .h file).
>>
>> The VM support code for other platforms are to be done.
>>
>> These changes fix the failing SqueakSSL test in the Trunk, so I suggest
>> including the .mcz file in the 4.6 release.
>>
>> Levente
>>
>> [1] https://en.wikipedia.org/wiki/SubjectAltName
>> [2]
>> http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184581.html
>> [3] http://leves.web.elte.hu/squeak/SqueakSSL/SqueakSSL.h
>> [4] http://leves.web.elte.hu/squeak/SqueakSSL/sqUnixOpenSSL.c
>> [5] http://leves.web.elte.hu/squeak/SqueakSSL/diff.txt
>
More information about the Squeak-dev
mailing list
|