On Tue, 2009-09-08 at 16:33 -0700, Juan Lang wrote: 
Hi Frank,

On Tue, Sep 8, 2009 at 4:15 PM, Frank Gruman<fgatwork@verizon.net> wrote:
> Looking at chain.c, line 1886-1902 I can see the switch-case statement
> where this would have been handled.  The problem I ran into while trying
> to keep up with the code was figuring out what the verify_* methods are
> trying to do.
>
> I'd really like to see this work and may have some spare cycles to help
> out.  The problem is that I don't understand everything happening in
> these methods - can I get some pointers to what is happening or what
> should happen in the yet to be created verify_ssl_policy() method?

The short answer is, if you don't care about the validity of the
certificates you're trying to connect to, you can hack this function
to return TRUE rather than FALSE.  This is an awful hack, however, and
can't be accepted into the Wine tree, but if all you care about is to
get the darn thing to work, it might be enough for you.

The longer answer is the generic Wine answer:  what should happen is
whatever Windows does.  To find out what Windows does, you need to
write tests for it.  Have a look at dlls/crypt32/tests/chain.c for a
start.  You'll want to mimic the existing tests, and try with
different SSL_EXTRA_CERT_CHAIN_POLICY_PARA values.

Since that's not very specific, here's a slightly more directed
answer:  the as-yet-unwritten verify_ssl_policy() should call
verify_base_policy() first.  If it succeeds, it should verify that the
certificate matches the intended use.  At a minimum, if the
SSL_EXTRA_CERT_CHAIN_POLICY_PARA is specified, you need to verify that
its pwszServerName matches the subject name in the certificate.  Be
careful not to introduce the embedded NULL character vulnerability
(see e.g. CVE-2009-2417.)  There are probably more checks needed,
either in verify_base_policy or in verify_ssl_policy, e.g. checking
the key usage extension.  RFC3280 is a good guide for the kinds of
checks that need to be done.

Intimidated yet?  That's why I haven't gotten around to it myself:
it's not a quick fix, and I haven't had a lot of free time.  But if
you have the time to do it right, by all means have a go!
--Juan

Only slightly daunted.  But I will give it a go.  It won't be over night, but I think I can, I think I can, I think I can...

Thanks for the pointers on where to look and start.

Regards,
Frank