client side ssl certificate validate on mac os x

May 12, 2014 at 12:09 PM
Hi All.

When creating a http client using https on mac os x it cannot validate the server certificate (or I am doing someting wrong) Anyone got around this issue without turning off ssl validation via http_client_config
It could be nice if you could load the certs from the keychain and provide it as a "string" into the http_client_config or via a callback.

Eske
May 14, 2014 at 8:44 AM
Edited May 14, 2014 at 1:25 PM
Any takes on this problem?

After a bit of debug it shows that openssl (if using the brew version) expect "/usr/local/etc/openssl" to contain the *.pem files.
This path only exist for users of brew that have installed openssl.

would it be a solution to
modify casablanca to accept a "path" and pass it along to boost:asio and set in boost::asio::ssl::context::add_verify_path(...) in the http_client_config object.?

Eske
Coordinator
May 14, 2014 at 6:29 PM
Hi Eske,

We don't currently have plans to implement this particular feature, but your proposed fix does sound solid. I've opened an issue to track it (issue).

Also, we do accept contributions; considering how close you are to solving this problem, consider implementing it and submitting a pull request?

Thanks,
roschuma
May 14, 2014 at 7:33 PM
Hi Roschuma.

I'll talk with my manager about signing a Contributor License Agreement and create pull request.

It is fairly easy to do for the posix part as it uses boost and openssl but I will have to read up on how the ssl stuff works on windows to create a complete feature.

eske
Coordinator
May 14, 2014 at 11:08 PM
Hi eske and roschuma,

I haven't looked into this a lot, but perhaps is another easy solution to expose the native handle to the underlying Boost socket so that this and other options can be set easily by users? We do this on Windows for WinHttp and IXmlHttpRequest2 using the set_nativehandle_options feature on http_client_config.

Steve