This patch provides code to validate the server certificate in
server links, defeating nasty man-in-the-middle attacks on server
links.
Features:
- Check whether the certificate is signed by a trusted certificate
authority (CA).
- Check the host name, including wildcard certificates and Subject
Alternative Names.
- Optionally check against a certificate revocation list (CRL).
- Implementation for both OpenSSL and GnuTLS linkage.
Left for another day:
- Parameterize the TLS parameter of an outbound connection. Currently,
it's hardcoded to disable all versions before TLSv1.1.
- Using certificate as CA-certificate. They work for GnuTLS only but
perhaps this should rather raise an error there, too.
- Optional OCSP checking.
- Checking client certificates. Code is there but this first needs some
consideration about the use cases. This could replace all other
authentication methods, for both client-server and server-server
connections.
This patch is based on a patch by Florian Westphal from 2009, which
implemented this for OpenSSL only:
From: Florian Westphal <fw@strlen.de>
Date: Mon, 18 May 2009 00:29:02 +0200
Subject: SSL/TLS: Add initial certificate support to OpenSSL backend
Commit message modified by Alex Barton.
Closes #120, "Server links using TLS/SSL need certificate validation".
Supersedes PR #8, "Options for verifying and requiring SSL client
certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.