I'm updating a Windows XMPP client that uses libstrophe. There's been
a change to tls_new(xmpp_conn_t *conn) in tls_openssl.c since I first
wrote this client that is causing me some grief, specifically:
SSL_CTX_set_verify (tls->ssl_ctx, SSL_VERIFY_NONE, NULL);
has been changed to:
/* Trust server's certificate when user sets the flag explicitly. */
mode = conn->tls_trust ? SSL_VERIFY_NONE : SSL_VERIFY_PEER;
SSL_set_verify(tls->ssl, mode, 0);
I can see the benefit of SSL_VERIFY_PEER, but I don't know how to work
it, because with a bit of googling it would seem that SSL_VERIFY_PEER
requires a certificate file (cacert.pem) somewhere on the client
machine, a file that can be obtained from
https://curl.haxx.se/docs/caextract.html. Is my understanding correct?
If so, how do I specify the file pathname using libstrophe? How
often does that file need to be updated? Is there a better source for
this file? If I've got this wrong, what should I be doing to allow SSL
to verify the certificate?
Alternatively I could forego the benefit, and go back to using
SSL_VERIFY_NONE. I can see the flag that "the user must set
explicitly" is held in xmpp_conn_t::tls_trust, but how do I set that
flag from the libstrophe public API? Yes, I could just edit the
libstrophe code and compile, but I would rather do this the proper way,
in my client, if there is a proper way.
- robert