-
Where the checking happens?
-
Since
ctx->cert_storeis always empty, and the mode isSSL_VERIFY_NONEit's likely that my test program above ignores the verification error. -
Maybe the certificates are loaded in the dart execution environment
-
Looks like this is the place where dart's
defaultContextis connected to the C++ side._SecurityContext(notSecurityContext) is the class that is connected to the C++ native code. -
Here, we can see that the
defaultContextis a object of_SecurityObjectclass, wheretrueis passed as the constructor. -
And this is the constructor: https://github.com/dart-lang/sdk/blob/fab753ea277c96c7699920852dabf977a7065fa5/sdk/lib/_internal/vm/bin/secure_socket_patch.dart#L215
-
In the constructor it calls
_trustBuiltinRootswhich in turn (probably) calls the C++ code. -
Here is the C++ code where it's likely that it's being invoked by the dart code.
-
Interesting issues:
Last active
July 6, 2023 15:02
-
-
Save ty60/3d8fb44a27caa859ab15137795d61d97 to your computer and use it in GitHub Desktop.
Boring ssl client
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ref: https://e-penguiner.com/encrypted-socket-programming-c-cpp/ | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <arpa/inet.h> | |
| #include <sys/socket.h> | |
| #include "openssl/ssl.h" | |
| #include "openssl/err.h" | |
| const char *req = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"; | |
| int main() { | |
| int sock; | |
| if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { | |
| perror("socket"); | |
| exit(1); | |
| } | |
| struct sockaddr_in server; | |
| server.sin_family = AF_INET; | |
| server.sin_addr.s_addr = inet_addr("93.184.216.34"); // example.com | |
| server.sin_port = htons(443); | |
| if (connect(sock, (struct sockaddr *)&server, sizeof(server)) < 0) { | |
| perror("connect"); | |
| exit(1); | |
| } | |
| SSL_library_init(); | |
| SSL_load_error_strings(); | |
| SSL_CTX *ctx = SSL_CTX_new(TLS_client_method()); | |
| if (!ctx) { | |
| perror("SSL_CTX_new"); | |
| exit(1); | |
| } | |
| SSL *ssl = SSL_new(ctx); | |
| if (!SSL_set_fd(ssl, sock)) { | |
| perror("SSL_set_fd"); | |
| exit(1); | |
| } | |
| if (!SSL_connect(ssl)) { | |
| perror("SSL_connect"); | |
| exit(1); | |
| } | |
| SSL_write(ssl, req, strlen(req)); | |
| char buf[4096]; | |
| SSL_read(ssl, buf, sizeof(buf)); | |
| printf("%s\n", buf); | |
| return 0; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Requires an already built boringssl project as subdirectory | |
| TGT := boringssl_client_example | |
| OBJS := boringssl_client_example.o | |
| CFLAGS := -g -I boringssl/include -pthread | |
| LIBS := boringssl/build/ssl/libssl.a boringssl/build/crypto/libcrypto.a boringssl/build/libpki.a boringssl/build/decrepit/libdecrepit.a | |
| ${TGT}: ${OBJS} | |
| gcc ${CFLAGS} -o $@ $^ ${LIBS} | |
| %.o: %.c | |
| gcc ${CFLAGS} -c $^ | |
| clean: | |
| rm -f ${TGT} ${OBJS} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment