So I decided to write my own solution for that: https://hackage.haskell.org/package/HsOpenSSL-x509-system It works similarly to x509-system. Depending on the operating system, it tries to find a reasonable CA certificate store and use that. It should work on most OSs. I tested it on a couple linux distros, Mac OS X 10.9, Windows XP & 8.1. On Sat, Feb 14, 2015 at 2:23 PM, Marios Titas wrote:

Hi

Thanks for the response. My problem is that this would probably not work under windows as there is no CA bundle in PEM format somewhere in the file system if I am not mistaken. Instead, I think you have to call CertOpenSystemStore to get the certificates and then parse them and add them one by one to the openssl context (see [1]). This is also what x509-system does for the tls package. So I was hoping that someone had done that already.

Another solution is to have package that provides its own certificate bundle. For example, in perl they have Mozilla::CA [2] which provides a copy of the certificate bundle from firefox.

Or maybe there is some other cross-platform solution that I am missing.

[1] https://stackoverflow.com/a/19612161 [2] http://search.cpan.org/perldoc?Mozilla%3A%3ACA

On Sat, Feb 14, 2015 at 2:20 AM, Julian Ospald wrote:

...

Marios Titas:

...

If I want to use HsOpenSSL for a tls client application that verifies the server certificate I have to manually specify a CA certificate bundle containing the trusted roots. For example, in a linux system, I would do the following

mkTlsContext :: IO Context mkTlsContext = do ctx <- context contextSetVerificationMode ctx (VerifyPeer True False Nothing) contextSetCADirectory ctx "/etc/ssl/certs" return ctx

The problem is that the above solution only works for linux. Is there a cross-platform way to find a reasonable CA bundle and use it with HsOpenSSL?

Note that the tls package has x509-system [1] that does exactly that. So I am basically asking if anybody has written something similar for HsOpenSSL.

[1] https://hackage.haskell.org/package/x509-system

You shouldn't have to manually specify it.

There is the function SSL_CTX_set_default_verify_paths() which sets default directories for the CAfile and CApath which are configured during compile-time of openssl.

Unfortunately, some distributions don't really follow these standard paths, but that's your first bet.

You might find this link interesting too: https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certifi...

But from what I see... HsOpenSSL lacks this function. Unless I missed something, I'd call that a bug. _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe