trondd
2015-01-27 18:57:13 UTC
I use www/links+ often as a nice lightweight browser. However, I
realized it didn't do any SSL certificate validation. I found a
patch that added basic validation (while silently allowing self
signed certs) but still didn't do hostname verification.
I went in search of some examples of hostname verification with SSL
and, of course, found myself in the libtls code. Awesome! Why do
it myself? It's already written for me.
So I replaced the SSL code with libtls and got a light, functional
web browser with cert verification and hostname verification.
I have a few things to clean up, but I wonder if people would be
interesting in using this? It was just a "can I do it?" project
for me as I haven't written more than a few lines of C code in ~15
years and I really wanted to use links+ safely. It helped to have
libtls available that just gets the job done.
I don't think libressl is ported as widely as links+ so wouldn't
expect this to go upstream, though I'll try to get their feedback.
Maybe they'll be encouraged to implement the solution they want to
support.
As an aside, I also added an option to enable/disable cookies. It
was hardcoded to allow them, but the code to turn it off was there,
except the UI for it.
Some TODOs:
Optionally allow self signed certs (not sure how to do this with
libtls).
Add a useful error message when there is an SSL error.
Test failure cases. With SSL, links+ would retry or abort a
connection depending on errors libtls seem to hide. (Maybe they
never matter?)
Tim.
realized it didn't do any SSL certificate validation. I found a
patch that added basic validation (while silently allowing self
signed certs) but still didn't do hostname verification.
I went in search of some examples of hostname verification with SSL
and, of course, found myself in the libtls code. Awesome! Why do
it myself? It's already written for me.
So I replaced the SSL code with libtls and got a light, functional
web browser with cert verification and hostname verification.
I have a few things to clean up, but I wonder if people would be
interesting in using this? It was just a "can I do it?" project
for me as I haven't written more than a few lines of C code in ~15
years and I really wanted to use links+ safely. It helped to have
libtls available that just gets the job done.
I don't think libressl is ported as widely as links+ so wouldn't
expect this to go upstream, though I'll try to get their feedback.
Maybe they'll be encouraged to implement the solution they want to
support.
As an aside, I also added an option to enable/disable cookies. It
was hardcoded to allow them, but the code to turn it off was there,
except the UI for it.
Some TODOs:
Optionally allow self signed certs (not sure how to do this with
libtls).
Add a useful error message when there is an SSL error.
Test failure cases. With SSL, links+ would retry or abort a
connection depending on errors libtls seem to hide. (Maybe they
never matter?)
Tim.