On 27/10/2020 20:00, Tobias Pape wrote:
> 
>> On 27.10.2020, at 19:31, Douglas Brebner <kirtai+st at gmail.com> wrote:

++> All in all, SqueakSSL _used_to_ only verify on Windows, because it 
did not work anywhere else.
For Unix/openssl, I implemented Cert checking in so far that the 
hostname is ok, (maybe more? i cant remember), for libressl/libtls, it 
should validate most things.

Ok, something to take a look at then.

> For Mac, things were meeeh. I even debugged into CommonCrypto and such just to find that it goes "should I verify here?" which was deeeply frustrating.

Ouch, so Mac users just have to keep a close eye on things then.


> In theory, things should validate, in practice, not so much.

Wonderful. Something else to investigate.


>> In addition to this, I found that some of the SqueakSSL tests ping Google, Facebook and Yahoo urls. Changing these would be nice.
> 
> Hmm. These ones are useful and maaaybe are not down so often.
> Anything we control is bound to have more downtime ¯\_(ツ)_/¯

Alright. I just don't like pinging them. Especially since the tests need 
fixed *anyway* due to various errors they're hiding. (The TLS connection 
works but the http layer returns errors due to site changes).

>> Finally, is SqueakSSL an appropriate name for a *TLS* library used on both Squeak and Cuis? ;)
> 
> History…

Yeah, I just wondered if there was any interest in changing the name or 
not. I'm fine with leaving it as is.

>> P.S. Ordinary Squeak client to remote https servers connections work fine on my linux machine. Wireshark shows TLS 1.3 connections.
> 
> Depends on your OpenSSL library version :)

I realised that :)
I just meant that it support the latest TLS 1.3 without needing any 
changes. I was concerned that SqueakSSL would need updated for that and 
that's *definitely* something I don't want to touch.

Thanks