Re: preliminary SSL client

[<mi...@ac...>]

Ok, I've looked through the code, and I see you are not doing any
certificate verification.  I believe you have to add a call to:
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
on the context before doing anything.

However, I didn't see any server code in your stuff, so I assume you
are using my server for this?  The above won't work in that case,
becase the server will expect certificate authentication, you would
have to do the previous call on the server, also.  It would probably
be easier to just add the certificate stuff.  It's not hard to create
a certificate, the directions are in my changes to the documentation.

-Corey

Alexey Mahotkin <al...@hs...> writes:

> Hello,
> 
> I've committed preliminary SSL client implementation.  On server side
> you have to use stunnel.  I think that this is rather useful setup
> even without client certificates (which will be implemented later).
> 
> Corey, I was looking at your sources when creating it.  It currently
> writes ok (I've checked with recordio), and the stunnelled cvs-pserver
> writes back "I LOVE YOU" ok, but the client dies with:
> 
> Logging in to :pserver:alexm@localhost:22401/repos
> CVS password: 
> Entered internal_start_server
> Created socket_client: 0x80d4100
> Created ssl_client: 0x80d4138
> Entered ssl_connect()
> ssl_write(27)
> ssl_write(6)
> ssl_write(1)
> ssl_write(5)
> ssl_write(1)
> ssl_write(4)
> ssl_write(1)
> ssl_write(25)
> ssl_read(1)
> Could not read SSL data: bad asn1 object header
> 
> The ssl_write()s are the "BEGIN AUTH REQUEST user password repository
> END AUTH REQUEST".
> 
> Corey, if you could look at it and say if I've missed something
> crucial, it would be great.  I'll also look at fetchmail
> implementation, but maybe I'm just overlooking something tiny. 
> 
> --alexm
> 
> _______________________________________________
> Cvs-nserver-devel mailing list
> Cvs...@li...
> http://lists.sourceforge.net/lists/listinfo/cvs-nserver-devel