|
Boost : |
Subject: [boost] [beast] Platform proxy settings, SSL verification
From: Phil Endecott (spam_from_boost_dev_at_[hidden])
Date: 2017-07-01 17:02:04
Here are just a few quick comments re Beast:
1. It's a terrible name, but I believe others have already
mentioned that.
2. I don't believe there is any integration with platform proxy
settings. I'll explain:
I have my own basic HTTP client and server code that I've used in
a handful of projects. There are a few features that it lacks that
have caused me problems. In particular, when I tried to use my
HTTP client code in an iOS app, it worked on WiFi networks but not
on some cellular networks. After much remote debugging I realised
that some cellular carriers in some countries require that HTTP
traffic goes via a (non-transparent) proxy. If you use the iOS
http client then this is handled for you, but my code knows nothing
about it. For me to test a fix for this I would have had to fly
to another continent....
This is the sort of thing that is particularly valuable in a
Boost library: I try to write portable code, but I don't know the
details of every platform that it will run on or even have test
systems available to me. Having a library that knows about the
platform-specific details, and which has been tested on a wide
variety of those platforms, is very valuable. (And a library
that instead just does the "easy parts" is something that I could
have written, or already have written, myself.)
3. Finally a comment about the SSL example at
https://github.com/vinniefalco/Beast/blob/master/example/http-client-ssl/http_client_ssl.cpp
This says stream.set_verify_mode(ssl::verify_none);
Please correct me if I'm wrong, but I think that means that it does
not do any sort of certificate verification.
As a matter of principle, I think that the *first* SSL example
should show how to establish a properly-secure connection. See for example
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf (""The Most Dangerous
Code in the World: Validating SSL Certificates in Non-Browser Software")
and e.g. https://lwn.net/Articles/522111/ for discussion. A quick look
at http://www.boost.org/doc/libs/1_47_0/doc/html/boost_asio/overview/ssl.html
suggests that this might add as few as two more lines to the code.
Regards, Phil.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk