Hacker News new | past | comments | ask | show | jobs | submit login

I would have liked to see the logic on client side to decide if the certificate presented by the server is valid.



I'm a little surprised the OpenSSL API doesn't force you to consider this by default, but indeed it does not: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_new.html...

> On session establishment, by default, no peer credentials verification is done. This must be explicitly requested, typically using SSL_CTX_set_verify(3).

Aside: According to those docs, SSLv23_client_method() is deprecated.


Yeah, not verifying server cert or OCSP/CRLs is a problem. DNS attacks can redirect and you'd be none the wiser.


The page was updated to include that.


Well done!




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: