Crate openssl_verify [−] [src]
Hostname verification for OpenSSL.
OpenSSL up until version 1.1.0 did not support verification that the certificate a server presents matches the domain a client is connecting to. This check is crucial, as an attacker otherwise needs only to obtain a legitimately signed certificate to some domain to execute a man-in-the-middle attack.
The implementation in this crate is based off of libcurl's.
Examples
In most cases, the verify_callback
function should be used in OpenSSL's
verification callback:
extern crate openssl; extern crate openssl_verify; use std::net::TcpStream; use openssl::ssl::{SslContext, SslMethod, SslStream, SSL_VERIFY_PEER, IntoSsl}; use openssl_verify::verify_callback; let domain = "google.com"; let stream = TcpStream::connect((domain, 443)).unwrap(); let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap(); ctx.set_default_verify_paths().unwrap(); let mut ssl = ctx.into_ssl().unwrap(); let domain = domain.to_owned(); ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| verify_callback(&domain, p, x)); let ssl_stream = SslStream::connect(ssl, stream).unwrap();
Functions
verify_callback |
A convenience wrapper around verify_hostname that implements the logic for OpenSSL's certificate verification callback. |
verify_hostname |
Validates that the certificate matches the provided fully qualified domain name. |