[Haskell-cafe] Is there a cross platform CA certificate bundle solution for HsOpenSSL?
redneb8888 at gmail.com
Mon Feb 16 08:14:12 UTC 2015
So I decided to write my own solution for that:
It works similarly to x509-system. Depending on the operating system,
it tries to find a reasonable CA certificate store and use that. It
should work on most OSs. I tested it on a couple linux distros, Mac OS
X 10.9, Windows XP & 8.1.
On Sat, Feb 14, 2015 at 2:23 PM, Marios Titas <redneb8888 at gmail.com> wrote:
> Thanks for the response. My problem is that this would probably not
> work under windows as there is no CA bundle in PEM format somewhere in
> the file system if I am not mistaken. Instead, I think you have to
> call CertOpenSystemStore to get the certificates and then parse them
> and add them one by one to the openssl context (see ). This is also
> what x509-system does for the tls package. So I was hoping that
> someone had done that already.
> Another solution is to have package that provides its own certificate
> bundle. For example, in perl they have Mozilla::CA  which provides
> a copy of the certificate bundle from firefox.
> Or maybe there is some other cross-platform solution that I am missing.
>  https://stackoverflow.com/a/19612161
>  http://search.cpan.org/perldoc?Mozilla%3A%3ACA
> On Sat, Feb 14, 2015 at 2:20 AM, Julian Ospald <hasufell at posteo.de> wrote:
>> Marios Titas:
>>> If I want to use HsOpenSSL for a tls client application that verifies
>>> the server certificate I have to manually specify a CA certificate
>>> bundle containing the trusted roots. For example, in a linux system, I
>>> would do the following
>>> mkTlsContext :: IO Context
>>> mkTlsContext = do
>>> ctx <- context
>>> contextSetVerificationMode ctx (VerifyPeer True False Nothing)
>>> contextSetCADirectory ctx "/etc/ssl/certs"
>>> return ctx
>>> The problem is that the above solution only works for linux. Is there
>>> a cross-platform way to find a reasonable CA bundle and use it with
>>> Note that the tls package has x509-system  that does exactly that.
>>> So I am basically asking if anybody has written something similar for
>>>  https://hackage.haskell.org/package/x509-system
>> You shouldn't have to manually specify it.
>> There is the function SSL_CTX_set_default_verify_paths() which sets
>> default directories for the CAfile and CApath which are configured
>> during compile-time of openssl.
>> Unfortunately, some distributions don't really follow these standard
>> paths, but that's your first bet.
>> You might find this link interesting too:
>> But from what I see... HsOpenSSL lacks this function. Unless I missed
>> something, I'd call that a bug.
>> Haskell-Cafe mailing list
>> Haskell-Cafe at haskell.org
More information about the Haskell-Cafe