[Haskell-cafe] Is there a cross platform CA certificate bundle solution for HsOpenSSL?

Marios Titas redneb8888 at gmail.com
Sat Feb 14 14:23:57 UTC 2015 

Hi

Thanks for the response. My problem is that this would probably not
work under windows as there is no CA bundle in PEM format somewhere in
the file system if I am not mistaken. Instead, I think you have to
call CertOpenSystemStore to get the certificates and then parse them
and add them one by one to the openssl context (see [1]). This is also
what x509-system does for the tls package. So I was hoping that
someone had done that already.

Another solution is to have package that provides its own certificate
bundle. For example, in perl they have Mozilla::CA [2] which provides
a copy of the certificate bundle from firefox.

Or maybe there is some other cross-platform solution that I am missing.

[1] https://stackoverflow.com/a/19612161
[2] http://search.cpan.org/perldoc?Mozilla%3A%3ACA

On Sat, Feb 14, 2015 at 2:20 AM, Julian Ospald <hasufell at posteo.de> wrote:
> Marios Titas:
>> If I want to use HsOpenSSL for a tls client application that verifies
>> the server certificate I have to manually specify a CA certificate
>> bundle containing the trusted roots. For example, in a linux system, I
>> would do the following
>>
>>     mkTlsContext :: IO Context
>>     mkTlsContext = do
>>         ctx <- context
>>         contextSetVerificationMode ctx (VerifyPeer True False Nothing)
>>         contextSetCADirectory ctx "/etc/ssl/certs"
>>         return ctx
>>
>> The problem is that the above solution only works for linux. Is there
>> a cross-platform way to find a reasonable CA bundle and use it with
>> HsOpenSSL?
>>
>> Note that the tls package has x509-system [1] that does exactly that.
>> So I am basically asking if anybody has written something similar for
>> HsOpenSSL.
>>
>> [1] https://hackage.haskell.org/package/x509-system
>
>
> You shouldn't have to manually specify it.
>
> There is the function SSL_CTX_set_default_verify_paths() which sets
> default directories for the CAfile and CApath which are configured
> during compile-time of openssl.
>
> Unfortunately, some distributions don't really follow these standard
> paths, but that's your first bet.
>
> You might find this link interesting too:
> https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
>
> But from what I see... HsOpenSSL lacks this function. Unless I missed
> something, I'd call that a bug.
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe

More information about the Haskell-Cafe mailing list