[Haskell-cafe] Is there a cross platform CA certificate bundle solution for HsOpenSSL?
Julian Ospald
hasufell at posteo.de
Sat Feb 14 02:20:39 UTC 2015
Marios Titas:
> If I want to use HsOpenSSL for a tls client application that verifies
> the server certificate I have to manually specify a CA certificate
> bundle containing the trusted roots. For example, in a linux system, I
> would do the following
>
> mkTlsContext :: IO Context
> mkTlsContext = do
> ctx <- context
> contextSetVerificationMode ctx (VerifyPeer True False Nothing)
> contextSetCADirectory ctx "/etc/ssl/certs"
> return ctx
>
> The problem is that the above solution only works for linux. Is there
> a cross-platform way to find a reasonable CA bundle and use it with
> HsOpenSSL?
>
> Note that the tls package has x509-system [1] that does exactly that.
> So I am basically asking if anybody has written something similar for
> HsOpenSSL.
>
> [1] https://hackage.haskell.org/package/x509-system
You shouldn't have to manually specify it.
There is the function SSL_CTX_set_default_verify_paths() which sets
default directories for the CAfile and CApath which are configured
during compile-time of openssl.
Unfortunately, some distributions don't really follow these standard
paths, but that's your first bet.
You might find this link interesting too:
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
But from what I see... HsOpenSSL lacks this function. Unless I missed
something, I'd call that a bug.
More information about the Haskell-Cafe
mailing list