Re: [Haskell-cafe] Is there a cross platform CA certificate bundle solution for HsOpenSSL?

14 Feb 2015

      Hi

Thanks for the response. My problem is that this would probably not
work under windows as there is no CA bundle in PEM format somewhere in
the file system if I am not mistaken. Instead, I think you have to
call CertOpenSystemStore to get the certificates and then parse them
and add them one by one to the openssl context (see [1]). This is also
what x509-system does for the tls package. So I was hoping that
someone had done that already.

Another solution is to have package that provides its own certificate
bundle. For example, in perl they have Mozilla::CA [2] which provides
a copy of the certificate bundle from firefox.

Or maybe there is some other cross-platform solution that I am missing.

[1] https://stackoverflow.com/a/19612161
[2] http://search.cpan.org/perldoc?Mozilla%3A%3ACA

On Sat, Feb 14, 2015 at 2:20 AM, Julian Ospald  wrote:
...
Marios Titas:
...
If I want to use HsOpenSSL for a tls client application that verifies
the server certificate I have to manually specify a CA certificate
bundle containing the trusted roots. For example, in a linux system, I
would do the following
mkTlsContext :: IO Context
    mkTlsContext = do
        ctx <- context
        contextSetVerificationMode ctx (VerifyPeer True False Nothing)
        contextSetCADirectory ctx "/etc/ssl/certs"
        return ctx
The problem is that the above solution only works for linux. Is there
a cross-platform way to find a reasonable CA bundle and use it with
HsOpenSSL?
Note that the tls package has x509-system [1] that does exactly that.
So I am basically asking if anybody has written something similar for
HsOpenSSL.
[1] https://hackage.haskell.org/package/x509-system
You shouldn't have to manually specify it.
There is the function SSL_CTX_set_default_verify_paths() which sets
default directories for the CAfile and CApath which are configured
during compile-time of openssl.
Unfortunately, some distributions don't really follow these standard
paths, but that's your first bet.
You might find this link interesting too:
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certifi...
But from what I see... HsOpenSSL lacks this function. Unless I missed
something, I'd call that a bug.
_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe