Using the Security Callbacks
A callback is a function that is executed when a certain condition is met. Usually, each callback is registered with a specific class.
The HTTPS package includes a security callback mechanism that requests the certificate of the server and compares the name in the certificate to the name of the host. This function is important because an attacker could divert your HTTPS request to another server and supply you with a valid certificate for that server instead.
This is how the callback mechanism works:
1. After a connection is established, the HTTPS package calls a certificate name check callback. The default version of this callback compares the “Common Name” field in the certificate to the host name. For more information, see
Certificate Name Check Callback. 2. If the certificate name check callback returns
false, the name in the certificate is not the same as the name of the host, and the certificate name mismatch callback is called. The default version of this callback throws an exception of type
RWHttpsCertificateNameMismatch. For more information, see
Certificate Name Mismatch Callback. The default versions of these callbacks are sufficient for many applications. They are implemented using functors from the Functor package of the Threads Module of SourcePro Core. Functors are more flexible than pointers to functions because they allow you to pass extra arguments to the function as callee data. Also, you do not need to cast those arguments to a void* pointer, as most pointer-to-function implementations use. See the Threads Module User’s Guide for more information on functors.
If you want to write your own callbacks, see
Supplying Your Own Callbacks.For more information about security, see
SSL and TLS - Designing and Building Secure Systems, by Eric Rescorla, referenced in
Appendix B.