[Vm-dev] Re: [squeak-dev] SqueakSSL + SAN certificates

Levente Uzonyi leves at elte.hu
Tue Jun 2 03:56:46 UTC 2015 

Hi David,

There's a debate about how SAN certificates - and server name 
verification in general - should be handled[1][2].
I tend to agree with Tobias on verifying the server name in the plugin, 
but getting there will require further efforts - especially on the unix 
platform.

While this version solves a particular case, and is backwards compatible 
on the image side, I think we should look for a better, more general 
solution.

Levente

[1] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184613.html
[2] http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184631.html

On Mon, 1 Jun 2015, David T. Lewis wrote:

>
> Hi Levente,
>
> Regarding your VM changes for SqueakSSL, shall I commit these to the SVN
> trunk repository? Ian delegated access to platforms/unix so that I can do
> that for you if you like.
>
> We have several Mantis entries to track your SqueakSSL work:
>
>  http://bugs.squeak.org/view.php?id=7751 (Add SSL plugin)
>  http://bugs.squeak.org/view.php?id=7793 (Memory leak in the SqueakSSL plugin on unix)
>  http://bugs.squeak.org/view.php?id=7824 (Add TLS SNI Server Name Indication support to SqueakSSL plugin)
>
> Your latest version http://leves.web.elte.hu/squeak/SqueakSSL/ adds
> the SAN certificates support, so I think we should commit your latest
> version and close the Mantis issues.
>
> If you agree I will update the SVN files.
>
> Thanks,
> Dave
>
> p.s. There are still issues in SqueakSSL when sizeof(sqInt) is 8
> (64 bit images) but that is a separate discussion.
>
>
>
> On Tue, May 26, 2015 at 11:55:42PM +0200, Levente Uzonyi wrote:
>> Hi All,
>>
>> I've implemented support for reading the domain names from the
>> certificate's SAN extension[1] in SqueakSSL.
>> The image side code is in the Inbox[2]. It is backwards compatible --
>> everything works as before without the VM changes.
>> I've also uploaded the modified files[3][4] for the unix platform, and a
>> diff[5] (which somehow doesn't include the changes of the .h file).
>>
>> The VM support code for other platforms are to be done.
>>
>> These changes fix the failing SqueakSSL test in the Trunk, so I suggest
>> including the .mcz file in the 4.6 release.
>>
>> Levente
>>
>> [1] https://en.wikipedia.org/wiki/SubjectAltName
>> [2]
>> http://lists.squeakfoundation.org/pipermail/squeak-dev/2015-May/184581.html
>> [3] http://leves.web.elte.hu/squeak/SqueakSSL/SqueakSSL.h
>> [4] http://leves.web.elte.hu/squeak/SqueakSSL/sqUnixOpenSSL.c
>> [5] http://leves.web.elte.hu/squeak/SqueakSSL/diff.txt
>

More information about the Squeak-dev mailing list