Crate openssl_verify [] [src]

Hostname verification for OpenSSL.

OpenSSL up until version 1.1.0 did not support verification that the certificate a server presents matches the domain a client is connecting to. This check is crucial, as an attacker otherwise needs only to obtain a legitimately signed certificate to some domain to execute a man-in-the-middle attack.

The implementation in this crate is based off of libcurl's.

Examples

In most cases, the verify_callback function should be used in OpenSSL's verification callback:

extern crate openssl;
extern crate openssl_verify;

use std::net::TcpStream;
use openssl::ssl::{SslContext, SslMethod, SslStream, SSL_VERIFY_PEER, IntoSsl};
use openssl_verify::verify_callback;

let domain = "google.com";
let stream = TcpStream::connect((domain, 443)).unwrap();

let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
ctx.set_default_verify_paths().unwrap();

let mut ssl = ctx.into_ssl().unwrap();
let domain = domain.to_owned();
ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| verify_callback(&domain, p, x));

let ssl_stream = SslStream::connect(ssl, stream).unwrap();

Functions

verify_callback

A convenience wrapper around verify_hostname that implements the logic for OpenSSL's certificate verification callback.

verify_hostname

Validates that the certificate matches the provided fully qualified domain name.