Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | When displaying an unknown certificate, also display the certificate fingerprint so the user can verify they're seeing the certificate they expect. Just displaying the textual names in the certificate does not give enough information to be certain someone isn't doing a man in the middle attack. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | ben-security |
| Files: | files | file ages | folders |
| SHA1: |
fc93bfb0f720e5d1a2963a60b4c263f7 |
| User & Date: | ben 2011-05-22 14:53:02.216 |
Context
|
2011-05-22
| ||
| 15:08 | Follow web app best practise by marking cookies as HttpOnly and, if it's over an https connection, as 'secure' so they will only be transmitted over https. Options supported by major browsers, and harmless where not supported. ... (check-in: e4b57a3230 user: ben tags: ben-security) | |
| 14:53 | When displaying an unknown certificate, also display the certificate fingerprint so the user can verify they're seeing the certificate they expect. Just displaying the textual names in the certificate does not give enough information to be certain someone isn't doing a man in the middle attack. ... (check-in: fc93bfb0f7 user: ben tags: ben-security) | |
| 14:23 | Create new branch named "ben-security" ... (check-in: 2b4a6a66e1 user: ben tags: ben-security) | |
Changes
Changes to src/http_ssl.c.
| ︙ | ︙ | |||
180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 |
}
if( SSL_get_verify_result(ssl) != X509_V_OK ){
char *desc, *prompt;
char *warning = "";
Blob ans;
BIO *mem;
mem = BIO_new(BIO_s_mem());
X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
BIO_puts(mem, "\n\nIssued By:\n\n");
X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);
BIO_write(mem, "", 1); // null-terminate mem buffer
BIO_get_mem_data(mem, &desc);
if( hasSavedCertificate ){
warning = "WARNING: Certificate doesn't match the "
"saved certificate for this host!";
}
| > > > > > > > > > | 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 |
}
if( SSL_get_verify_result(ssl) != X509_V_OK ){
char *desc, *prompt;
char *warning = "";
Blob ans;
BIO *mem;
unsigned char md[32];
unsigned int mdLength = 31;
mem = BIO_new(BIO_s_mem());
X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
BIO_puts(mem, "\n\nIssued By:\n\n");
X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);
BIO_puts(mem, "\n\nSHA1 Fingerprint:\n\n ");
if(X509_digest(cert, EVP_sha1(), md, &mdLength)){
int j;
for( j = 0; j < mdLength; ++j ) {
BIO_printf(mem, " %02x", md[j]);
}
}
BIO_write(mem, "", 1); // null-terminate mem buffer
BIO_get_mem_data(mem, &desc);
if( hasSavedCertificate ){
warning = "WARNING: Certificate doesn't match the "
"saved certificate for this host!";
}
|
| ︙ | ︙ |