Marios Titas:
If I want to use HsOpenSSL for a tls client application that verifies the server certificate I have to manually specify a CA certificate bundle containing the trusted roots. For example, in a linux system, I would do the following
mkTlsContext :: IO Context mkTlsContext = do ctx <- context contextSetVerificationMode ctx (VerifyPeer True False Nothing) contextSetCADirectory ctx "/etc/ssl/certs" return ctx
The problem is that the above solution only works for linux. Is there a cross-platform way to find a reasonable CA bundle and use it with HsOpenSSL?
Note that the tls package has x509-system [1] that does exactly that. So I am basically asking if anybody has written something similar for HsOpenSSL.
You shouldn't have to manually specify it. There is the function SSL_CTX_set_default_verify_paths() which sets default directories for the CAfile and CApath which are configured during compile-time of openssl. Unfortunately, some distributions don't really follow these standard paths, but that's your first bet. You might find this link interesting too: https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certifi... But from what I see... HsOpenSSL lacks this function. Unless I missed something, I'd call that a bug.