There are two things you need to verify: that the certificate's signature is valid (i.e. that what the certificate has to say about itself is true) and that the certificate is saying what you expect it to say.
If you only verify that the signature is valid, the black hats could put in any validly signed certificate.
As far as I could see, you can do check subject name Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($server_cert))
and Issuer name:
Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($serv
+er_cert))
However, these high-level routines are available only after you've already sent your request. To verify before you send your data, you need to use the lowlevel routines, the perldoc suggests you see implementation of ds_https3() for ideas on how that works.
Verifying that the signature is currect appears much simpler - a matter of setting a single flag, unless you also want to check the revocation lists.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.