[Haskell-cafe] Is there a cross platform CA certificate bundle solution for HsOpenSSL?

Marios Titas redneb8888 at gmail.com
Mon Feb 16 08:14:12 UTC 2015


So I decided to write my own solution for that:

https://hackage.haskell.org/package/HsOpenSSL-x509-system

It works similarly to x509-system. Depending on the operating system,
it tries to find a reasonable CA certificate store and use that. It
should work on most OSs. I tested it on a couple linux distros, Mac OS
X 10.9, Windows XP & 8.1.

On Sat, Feb 14, 2015 at 2:23 PM, Marios Titas <redneb8888 at gmail.com> wrote:
> Hi
>
> Thanks for the response. My problem is that this would probably not
> work under windows as there is no CA bundle in PEM format somewhere in
> the file system if I am not mistaken. Instead, I think you have to
> call CertOpenSystemStore to get the certificates and then parse them
> and add them one by one to the openssl context (see [1]). This is also
> what x509-system does for the tls package. So I was hoping that
> someone had done that already.
>
> Another solution is to have package that provides its own certificate
> bundle. For example, in perl they have Mozilla::CA [2] which provides
> a copy of the certificate bundle from firefox.
>
> Or maybe there is some other cross-platform solution that I am missing.
>
> [1] https://stackoverflow.com/a/19612161
> [2] http://search.cpan.org/perldoc?Mozilla%3A%3ACA
>
> On Sat, Feb 14, 2015 at 2:20 AM, Julian Ospald <hasufell at posteo.de> wrote:
>> Marios Titas:
>>> If I want to use HsOpenSSL for a tls client application that verifies
>>> the server certificate I have to manually specify a CA certificate
>>> bundle containing the trusted roots. For example, in a linux system, I
>>> would do the following
>>>
>>>     mkTlsContext :: IO Context
>>>     mkTlsContext = do
>>>         ctx <- context
>>>         contextSetVerificationMode ctx (VerifyPeer True False Nothing)
>>>         contextSetCADirectory ctx "/etc/ssl/certs"
>>>         return ctx
>>>
>>> The problem is that the above solution only works for linux. Is there
>>> a cross-platform way to find a reasonable CA bundle and use it with
>>> HsOpenSSL?
>>>
>>> Note that the tls package has x509-system [1] that does exactly that.
>>> So I am basically asking if anybody has written something similar for
>>> HsOpenSSL.
>>>
>>> [1] https://hackage.haskell.org/package/x509-system
>>
>>
>> You shouldn't have to manually specify it.
>>
>> There is the function SSL_CTX_set_default_verify_paths() which sets
>> default directories for the CAfile and CApath which are configured
>> during compile-time of openssl.
>>
>> Unfortunately, some distributions don't really follow these standard
>> paths, but that's your first bet.
>>
>> You might find this link interesting too:
>> https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
>>
>> But from what I see... HsOpenSSL lacks this function. Unless I missed
>> something, I'd call that a bug.
>> _______________________________________________
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
>> http://www.haskell.org/mailman/listinfo/haskell-cafe


More information about the Haskell-Cafe mailing list