.
D 2020-08-20T22:25:53.818
J foundin 1.7.21
J icomment It\sis\sprobably\sfair\sto\ssay\sthat\sthe\smost\scommon\sreason\sto\sstart\s\r\nusing\sTclTLS\sis\sthat\sone\swants\sto\s"fetch\sa\swebpage"\s(or\smore\s\r\ngenerally\ssend\sHTTP\srequests\sto\ssome\sserver,\sperhaps\sas\spart\sof\r\nsome\sAPI),\swhich\sused\sto\sbe\sa\sstraightforward\sapplication\sof\sthe\s\r\nhttp\spackage,\sbut\snowadays\sweb\sservers\sincreasingly\sonly\swants\sto\s\r\ndo\shttps.\sThis\smeans\sthat\ssection\sis\sa\svery\simportant\sexample!\s\r\nAFAICT\sit\smoreover\sshould\sjust\sbe\sa\smatter\sof\sgiving\sthe\sright\s\r\nhttp::register\scommand,\spretty\smuch\sas\sshown\sin\sthat\ssection,\s\r\nbut\sunfortunately\sseveral\sdetails\sseem\sto\sbe\swrong\sand/or\sconfusing,\s\r\nand\sdefinitely\snot\ssatisfactory\sexplained.\r\n\r\n1.\sThe\sfirst\s(indeed\sonly)\ssentence\sin\sthat\ssection\sreads\r\n"This\sexample\suses\sa\ssample\sserver.pem\sprovided\swith\sthe\sTLS\s\r\nrelease,\scourtesy\sof\sthe\sOpenSSL\sproject."\r\n\r\nPresumably\sthat\srefers\sto\sthe\sfile\stests/certs/server.pem\sin\sthe\s\r\nTclTLS\ssources.\sThat\sfile\sis\snot\sused\sby\sthe\scode\sfollowing,\sand\s\r\nindeed\sit\swould\smake\sno\ssense\sfor\sit\sto\sbe\sso\sused,\ssince\sit\s\r\nseems\sto\sbe\sa\scertificate\sthat\swould\sbe\sneeded\sby\sa\sserver,\s\r\nwhereas\sthis\sexample\sis\sabout\sbeing\sa\sHTTPS\s*client*.\r\n\r\n2.\sThe\stls::socket\scommand\shas\sthe\soption\s\s-cadir\s/etc/ssl/certs\r\n\r\nFrom\swhat\slittle\sexperimentation\sI've\sbeen\sable\sto\sdo,\sit\sseems\s\r\nsome\sexplicit\sspecification\sof\sthe\scertificate\sauthorities\sis\s\r\nindeed\snecessary.\sThat\sis\sin\sitself\sa\sbit\sodd,\sbecause\sfrom\swhat\s\r\nI've\sbeen\sable\sto\sgather,\sOpenSSL\sshould\sbe\sable\sto\sfind\sits\sdefault\s\r\ncollection\sof\sroot\scertificates\sitself,\susing\sSSL_CTX_set_default_verify_paths();\s\r\nthe\scounterparts\sof\s-cadir\s/\s-cafile\sin\sOpenSLL\sare\smore\sfor\swhen\syou\s\r\nhave\syour\sown\sCA\sfor\sjust\sthis\sproject.\r\n\r\nSecond,\s/etc/ssl/certs\sis\snot\sthe\scanonical\sdirectory\sof\sroot\s\r\ncertificates.\sIt\sis\sthe\sdirectory\sof\sroot\scertificates\sin\s*one*\s\r\nlinux\sdistro\s(I\sforget\swhich\sone),\sbut\sthey\spretty\smuch\sall\sput\sthat\s\r\ndirectory\sin\sdifferent\slocations.\s\r\nThe\scanonical\sdirectory\sis\s$OPENSSLDIR/certs,\swhich\sdefaults\sto\s\r\n/usr/local/ssl/certs.\r\n\r\nThird,\sthe\s-cadir\sis\srather\sawkward\sto\sstart\swith,\sif\syou\sfind\s\r\nyourself\sin\sthe\sposition\sof\sactually\sneeding\sto\ssupply\sthese\s\r\n(which\syou\swill,\sin\scase\syou\sinstall\sopenssl\sfrom\ssource),\s\r\nsince\sthe\scollections\sof\sroot\scertificates\sone\scan\sdownload\sfrom\s\r\nthe\sinternet\s(not\sincluded\swith\sOpenSSL\sitself)\sare\sinstead\sin\sthe\s\r\nform\sof\sa\s-cafile.\sPopulating\sthe\s-cadir\sis\snot\ssomething\sone\s\r\nundertakes\smanually,\ssince\sthe\sindividual\scertificate\sfiles\sneed\sto\s\r\nbe\snamed\saccording\sto\stheir\shashes\sfor\sOpenSSL\sto\sfind\sthem.\sFinding\s\r\nout\sabout\sc_rehash\sis\snot\sall\sthat\seasy\swhen\syou're\sprimarily\sa\sTcler.\r\n\r\n3.\sIndeed,\sthere\sprobably\sshould\sbe\sa\ssection\sin\sthe\sTclTLS\smanpage\s\r\ngiving\sa\squick\sexplanation\sof\scertificates\sand\stheir\srole\sin\sTLS,\s\r\nbecause\sthat\sside\sof\sTLS\sis\squite\snonobvious\sto\sthe\suser\swho\shas\s\r\nprimarily\sencountered\sTLS\sin\sthe\sform\sof\shttps\sin\sa\sweb\sbrowser\s—\s\r\nknowing\sthat\sencrypted\scommunication\sis\suseful\sis\snot\sso\shard,\s\r\nrealising\sthat\syou\salso\swant\sto\sbe\ssure\sabout\sthe\sidentity\sof\sthe\s\r\nserver\syou're\stalking\sto\stakes\sa\sbit\smore\sinsight.
J login anonymous
J mimetype text/x-fossil-plain
J private_contact c47142f6219c164377efd7f92c5d3dfe2a13b4cf
J severity Important
J status Open
J title "https\sexample"\ssection\sis\sconfusing
J type Documentation
K 56d19eb033715cd05fbb7a09261e8a0f29a7f1c3
U anonymous
Z 15bc1366fd1a97f97a0b329c2650e3ef