On 06/04/20 17:31, Andrew Dunstan wrote: > Do we actually do any of this sort of thing? I confess my impression was > this is all handled by the openssl libraries, we just hand over the > certs and let openssl do its thing. Am I misinformed about that?
I haven't delved very far into the code yet (my initial aim with this thread was not to pose a rhetorical question, but an ordinary one, and somebody would know the answer). By analogy to other SSL libraries I have worked with, my guess would be that there are certain settings and callbacks available that would determine some of what it is doing. In the javax.net.ssl package [1], for example, there are HostnameVerifier and TrustManager interfaces; client code can supply implementations of these that embody its desired policies. Regards, -Chap
