Will Bond
Will Bond
Yeah, once I have the OpenSSL backend finished up, then I think I'll have an idea of what sort of context needs to be persisted and how an API can...
Ok, great - I believe callbacks will be easier to implement and simpler to use. Now, the final bit I want to understand is related to the statement: "Pretty much...
Initial implementation and testing of TLSSocket and TLSSession are complete. With that work done, the refactoring for this change should be fairly straight forward. Once you have a chance to...
This will actually take some more work, possibly quite a bit since the OS TLS libraries deal with fetching revocation information in a blocking manner. To work around this, there...
Windows does.
But yeah, either way there should be a consistent API in oscrypto for disabling or enabling revocation checks. And then, that would need to be expose to/via the async API.
And yes, the testing I just did confirmed that OpenSSL and Secure Transport by default don't care about revoked certificates.
According to the SecureTransport reference, SecEvaluateTrust can trigger network access. https://developer.apple.com/library/ios/documentation/Security/Reference/certifkeytrustservices/index.html#//apple_ref/c/func/SecTrustEvaluate Apparently that is not for CRL/OCSP checking, but network-hosted trust roots. So manual validation using SecTrustEvaluateAsync would need to...
Discovered that OS X 10.7-10.9 do revocation checks by default.
No, just CRL and OCSP checks do happen during a normal request cycle on 10.7-10.9 even though they do not in 10.10+. Currently I am in the process of working...