[beast] Platform proxy settings, SSL verification
Here are just a few quick comments re Beast: 1. It's a terrible name, but I believe others have already mentioned that. 2. I don't believe there is any integration with platform proxy settings. I'll explain: I have my own basic HTTP client and server code that I've used in a handful of projects. There are a few features that it lacks that have caused me problems. In particular, when I tried to use my HTTP client code in an iOS app, it worked on WiFi networks but not on some cellular networks. After much remote debugging I realised that some cellular carriers in some countries require that HTTP traffic goes via a (non-transparent) proxy. If you use the iOS http client then this is handled for you, but my code knows nothing about it. For me to test a fix for this I would have had to fly to another continent.... This is the sort of thing that is particularly valuable in a Boost library: I try to write portable code, but I don't know the details of every platform that it will run on or even have test systems available to me. Having a library that knows about the platform-specific details, and which has been tested on a wide variety of those platforms, is very valuable. (And a library that instead just does the "easy parts" is something that I could have written, or already have written, myself.) 3. Finally a comment about the SSL example at https://github.com/vinniefalco/Beast/blob/master/example/http-client-ssl/htt... This says stream.set_verify_mode(ssl::verify_none); Please correct me if I'm wrong, but I think that means that it does not do any sort of certificate verification. As a matter of principle, I think that the *first* SSL example should show how to establish a properly-secure connection. See for example http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf (""The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software") and e.g. https://lwn.net/Articles/522111/ for discussion. A quick look at http://www.boost.org/doc/libs/1_47_0/doc/html/boost_asio/overview/ssl.html suggests that this might add as few as two more lines to the code. Regards, Phil.
On Sat, Jul 1, 2017 at 10:02 AM, Phil Endecott via Boost
1. It's a terrible name
I believe that point is addressed in the FAQ :)
2. I don't believe there is any integration with platform proxy settings.
That is correct. Such integration is outside the scope of the library, Beast doesn't try to be an HTTP client. It only handles modeling, sending, and receiving HTTP messages... ...and WebSocket! Poor WebSocket....
Having a library that knows about the platform-specific details, and which has been tested on a wide variety of those platforms, is very valuable.
I agree; perhaps you will write that library on top of Beast?
https://github.com/vinniefalco/Beast/blob/master/example/http-client-ssl/htt... ... Please correct me if I'm wrong, but I think that means that it does not do any sort of certificate verification.
Correct. I'm not an expert in using certificates, can your issue be remedied simply by changing the value passed in? If so, I will gladly make that change please open an issue here: https://github.com/vinniefalco/Beast/issues
As a matter of principle, I think that the *first* SSL example should show how to establish a properly-secure connection.
If this is as easy as changing the argument passed then that's no problem as I said just open an issue. But to the more general point, I disagree. Its not within the scope of Beast to teach people how to use OpenSSL. Boost.Asio already assumes that responsibility since it provides the boost::asio::ssl::stream class and comes with examples of certificate use. I have no desire to reinvent the wheel. The SSL examples in Beast exist only to demonstrate that such integration is possible, not to educate the user on every aspect of its use. Beast does not require or use OpenSSL in its implementation. There is merit in having a great tutorial on effectively SSL with Asio that covers certificates, ciphers, verification, use of alternative libraries such as LibreSSL or BoringSSL. However, Beast is not the place for that tutorial. Thanks
Vinnie Falco wrote:
https://github.com/vinniefalco/Beast/blob/master/example/http-client-ssl/htt... ... Please correct me if I'm wrong, but I think that means that it does not do any sort of certificate verification.
Correct. I'm not an expert in using certificates, can your issue be remedied simply by changing the value passed in?
I can only refer to the ASIO documentation that I linked to a bit later in my message (which you didn't quote).
Its not within the scope of Beast to teach people how to use OpenSSL.
There seems to be a lot that is "outside the scope" of Beast. Regards, Phil.
On Sat, Jul 1, 2017 at 1:45 PM, Phil Endecott via Boost
Its not within the scope of Beast to teach people how to use OpenSSL.
There seems to be a lot that is "outside the scope" of Beast.
Yes, that is by design. I'm keeping the scope of the library limited to only that which I think has a chance at standardization (once N4588 becomes part of the spec).
On Sat, Jul 1, 2017 at 10:02 AM, Phil Endecott via Boost
As a matter of principle, I think that the *first* SSL example should show how to establish a properly-secure connection.
I've created a new branch called "review-addendum-2" which sets the verify mode: https://github.com/vinniefalco/Beast/blob/e3bfb801b795ab8be1d0d8ff9e31de6e9c... and comes with a couple of root certificates: https://github.com/vinniefalco/Beast/blob/e3bfb801b795ab8be1d0d8ff9e31de6e9c... These changes will be part of version 73
participants (2)
-
Phil Endecott -
Vinnie Falco