Author ronaldoussoren
Recipients benjamin.peterson, brian.curtin, christian.heimes, esc24, georg.brandl, larry, loewis, merwok, ned.deily, pitrou, ronaldoussoren
Date 2013-02-08.09:34:06
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1360316047.24.0.16770838679.issue17128@psf.upfronthosting.co.za>
In-reply-to
Content
See also: issue 15740


A version of OpenSSL as included in some versions of OSX can be downloaded from <http://opensource.apple.com/tarballs/OpenSSL098/>, as mentioned in issue 15740 the versions as included in the most recent OS updates doesn't seem to be there.

I've downloaded OpenSSL098-35.1 and that includes files ./src/crypto/x509/x509_vfy_apple.h and ./src/crypto/x509/x509_vfy_apple.c which implement the behavior I mentioned earlier: first try to verify using the default OpenSSL mechanism, then verify using the TrustEvaluationAgent. 

Now that I look at that code again: we can't extract that code and use it to patch upstream OpenSSL, the TrustEvaluationAgent framework is a private framework and hence off limits.

It is probably possible to reimplement the same feature using public APIs, but that's new development and should be off-limits for a bugfix release (and isn't something that can be done very soon without risking to introduce new bugs in security-related code).

Direct link to the source code I mentioned: http://opensource.apple.com/source/OpenSSL098/OpenSSL098-32/src/crypto/x509/x509_vfy_apple.c, http://opensource.apple.com/source/OpenSSL098/OpenSSL098-32/src/crypto/x509/x509_vfy_apple.h


A blog about this feature by the one of the curl developers: http://daniel.haxx.se/blog/2011/11/05/apples-modified-ca-cert-handling-and-curl/


P.S. Apple doesn't exactly make it easy to find this information.
History
Date User Action Args
2013-02-08 09:34:07ronaldoussorensetrecipients: + ronaldoussoren, loewis, georg.brandl, pitrou, larry, christian.heimes, benjamin.peterson, ned.deily, merwok, brian.curtin, esc24
2013-02-08 09:34:07ronaldoussorensetmessageid: <1360316047.24.0.16770838679.issue17128@psf.upfronthosting.co.za>
2013-02-08 09:34:07ronaldoussorenlinkissue17128 messages
2013-02-08 09:34:06ronaldoussorencreate