2 unstable releases
Uses old Rust 2015
0.2.0 | Aug 12, 2016 |
---|---|
0.1.0 | May 6, 2016 |
#18 in #hostname
1,933 downloads per month
Used in 9 crates
(2 directly)
20KB
355 lines
rust-openssl-verify
Hostname verification for OpenSSL.
OpenSSL up until version 1.1.0 did not support verification that the certificate a server presents matches the domain a client is connecting to. This check is crucial, as an attacker otherwise needs only to obtain a legitimately signed certificate to some domain to execute a man-in-the-middle attack.
The implementation in this crate is based off of libcurl's.
lib.rs
:
Hostname verification for OpenSSL.
OpenSSL up until version 1.1.0 did not support verification that the certificate a server presents matches the domain a client is connecting to. This check is crucial, as an attacker otherwise needs only to obtain a legitimately signed certificate to some domain to execute a man-in-the-middle attack.
The implementation in this crate is based off of libcurl's.
Examples
In most cases, the verify_callback
function should be used in OpenSSL's
verification callback:
extern crate openssl;
extern crate openssl_verify;
use std::net::TcpStream;
use openssl::ssl::{SslContext, SslMethod, SslStream, SSL_VERIFY_PEER, IntoSsl};
use openssl_verify::verify_callback;
let domain = "google.com";
let stream = TcpStream::connect((domain, 443)).unwrap();
let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
ctx.set_default_verify_paths().unwrap();
let mut ssl = ctx.into_ssl().unwrap();
let domain = domain.to_owned();
ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| verify_callback(&domain, p, x));
let ssl_stream = SslStream::connect(ssl, stream).unwrap();
Dependencies
~1.7–3MB
~67K SLoC