Hi,
Based on the code, docs, and an email on this list (http://bit.ly/oSLiox) I’ve started implementing my own certificate verification code, but my experience with OpenSSL is very limited and I’ve run into a few snags so I’d like some feedback on this code.
The code (and a prettier version of this email) is at: https://gist.github.com/1151454
The snags are:
-
Adding a certificate to a
OpenSSL::X509::Store
which is already in the chain will raise an exception. This is something that can happen quite easily, because:- some servers send the same certificate multiple times (cough gmail cough).
- servers may also send the root certificate, which is already in the store because I initialize it with a list of the root CA certificates.
- it's impossible to ask the store if a certificate is already in the chain.
So am I doing this completely wrong? Right now I assume I have the root certificate and ignore duplicates by keeping a reference to the last seen certificate, but without these assumptions/checks the only way I see to do it is by rescueing the exception :'(
-
Is there an existing way to get the hostname that the
Connection
might have been initialized with? As far as I could tell you can only get the actual address (ip/port)
Cheers, Eloy